With heightened panic regarding the coronavirus, the Trojan FormBook is sending emails impersonating the World Health Organization regarding COVID-19 outbreak.
This comes after other phishing campaigns from AzorUlt and Emotet took advantage of the public health emergency and preyed on individuals in the United States and UK.
FormBook is an information-stealing Trojan and will inject code in targeted applications in order to intercept network requests, implement a key-logger, harvest user data and passwords, take screenshots, and execute C&C commands.
A ZIP file is featured in these emails with information regarding the latest “Coronavirus Updates” – with the email opening in a browser and displaying the full content. It prompts the individual to view the attached MY-HEALTH.PDF for “the simplest and fastest ways to take of your health and protect others”. The ZIP file contains an executable labelled MyHealth.exe which is the malware downloader GuLoader, discovered by MalwareHunter. GuLoader will then inject the malware into the legitimate Windows wininit.exe process to evade detection.
Those infected with this malware risk identity theft and compromise of their online banking credentials, as well as other password protected accounts and personal information; making data security and protection a major concern.
The World Health Organization has released a statement in regards to cyber security urging those affected to report any scams impersonating their organization.
The World Health Organization will:
never ask you to login to view safety information
never email attachments you didn’t ask for
never ask you to visit a link outside of www.who.int
never charge money to apply for a job, register for a conference, or reserve a hotel
never conduct lotteries or offer prizes, grants, certificates or funding through email
never ask you to donate directly to emergency response plans or funding appeals.
Beware that criminals use email, websites, phone calls, text messages, and even fax messages for their scams.
You can verify if communication is legit by contacting WHO directly.
For more information on the outbreak please visit this link provided by The World Health Organization.