Hackers Use WHO's Name To Deliver FormBook Malware Through Emails

Coronavirus bytes

Coronavirus (COVID-19) outbreak is still spreading. Despite China reports fewer cases, other countries are still struggling with the virus.

After previously reported that hackers piggybacked the coronavirus trends to spread their malicious campaigns, they again use the World Health Organization (WHO) to spread another kind of malware.

In an email campaign, hackers distribute a malware downloader that installs the Formbook information-stealing trojan.

These emails state that they are from WHO with information about the latest "Coronavirus Updates."

When viewing the email, victims won't see the email properly with an email client. The emails will prompt them to view the email in a browser instead, which should make the emails display their content properly.

And this is where things go malicious.

The emails contain a ZIP file attachment. When potential victims who fear the coronavirus disease unzip the attachment, it will install a downloader to the victims' computer.

To entice victims into downloading the attachment, hackers have an attached file that goes with the nameMY-HEALTH.PDF for "the simplest and fastest ways to take of your health and protect others". The attachment also contains an executable with the name MyHealth.exe, which the malware distributors are trying to pass off as the PDF file they mentioned in the email.

According to MalwareHunterTeam who discovered this spam campaign, the executable is a malware downloader called 'GuLoader'.

When executed, the malware downloader will download an encrypted file from Google Drive, decrypt it, to then inject the malware into the legitimate Windows wininit.exe process to evade antivirus detection.

The downloaded malware is the FormBook information-stealing trojan,

According to FireEye in a 2017 blog post, this trojan when installed, can steal whatever users copied to the Windows clipboard, log whatever is being typed into the keyboard, and steal browsing data as victims surf the web.

Coronavirus email malware
The email hackers sent to potential victims, urging them to download and execute the attachment.
"The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords."

With the coronavirus fear continues, hackers are continuously piggyback the trends for their own benefits.

To not fall as victims, people should never any attachments unless they can confirm the sender.

The WHO acknowledges these hacking campaigns, and had issued an alert to be on the lookout for criminals trying to impersonate them. WHO said that it will:

  • Never ask for login information to view safety information.
  • Never email attachments people didn’t ask for.
  • Never ask people to visit a link outside of www.who.int.
  • Never charge money to apply for a job, register for a conference, or reserve a hotel.
  • Never conduct lotteries or offer prizes, grants, certificates or funding through email.
  • Never ask people to donate directly to emergency response plans or funding appeals.
Published: 
09/03/2020