Another WHO fake: e-book on Covid-19 used to lure phishing victims

News by Chandu Gopalakrishnan

"The internet doesn't care about you." Yet another Covid-19-themed phishing campaign uses the World Health Organisation (WHO) as a guise

Researchers have discovered yet another Covid-19 (Coronavirus)-themed phishing campaign that uses the World Health Organisation (WHO) as a guise. This time, the global healthcare authority’s name is used as a lure to trick people into downloading a fake e-book that carries an infostealer, found Malwarebytes researchers.

The recipient is prompted to download the fake e-book, named My-Health, from the attached zip file. However, the zip file only contains VB6 downloader GuLoader, that stores the infostealing trojan FormBook.

“Victims that execute the attachment will get infected with a first stage payload called GuLoader. This is a newer threat whose purpose is to download and install the final malware component which it does by retrieving it from Google Drive. The malware will then attempt to steal data from victims, for example credentials stored in browsers and other applications before exfiltrating them back to the command and control server maintained by the criminals,” Jérôme Segura, director of threat intelligence at Malwarebytes, told SC Media UK.

“There are several campaigns impersonating the WHO at the moment but this one was probably the most convincing we have seen so far, and, based on our spam collectors, had a wide distribution,” he said

GuLoader is a portable executable (PE) file that is often observed embedded in a container file such as an .iso or .rar file, said Proofpoint threat research report published earlier this month.

It is used predominantly to download remote access Trojans (RATs) and information stealers such as Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and Parallax RAT.

The visually-compelling email has enough clues that show the user it is not legitimate, including incorrectly hyphenating the name as Corona-virus, odd uses of capital letters and some poor grammar.

“GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors,” said the Malwarebytes report.

Researchers at MalwareHunterTeam earlier discovered a similar phishing scam that pretends to offer Covid-19 information from the WHO in order to distribute FormBook trojan using GuLoader downloader. The email lure offered a chance to obtain a “World Bank Corona Grant” along with health advice.

Segura told SC Media UK that Malwarebytes traced the campaign to a threat actor who used other similar lures. However, he dismissed the notion that the threat actor was state-sponsored.

While it is unfortunate that cyber-criminals are preying on people’s concerns at this time, threats like these can be countered by avoiding downloads or apps from unverified sources and sticking to trusted channels, said Javvad Malik, security awareness advocate at KnowBe4.

“For employees working from home, this can be an even bigger issue especially if phishing emails are opened on work machines or malicious apps inadvertently downloaded onto corporate phones. Therefore, organisations should provide timely and reliable security awareness and training and provide ways through which employees can easily and conveniently report any suspicious activity," he explained.

Foreseeing such attacks, WHO last month warned that users must verify the authenticity of persons or organisations contacting them on WHO’s behalf.

In the alert, WHO assured that it will never ask for your username or password to access safety information; never email attachments you didn’t ask for; never ask you to visit a link outside of www.who.int; never charge money to apply for a job, register for a conference, or reserve a hotel; and never conduct lotteries or offer prizes, grants, certificates or funding through email.

However, in times of unprecedented crisis such as these, it is very difficult to convince people that the internet is the biggest threat to their safety apart from the virus itself, noted Brian Higgins, security specialist at Comparitech.com.

“My advice would be to stick to your favourite, trusted sites and networks. The ‘delete’ button is everyone’s first and best defence against cyber-criminals as we deal with Covid-19. Delete anything new and unexpected. Don’t surf the web. Pick up the phone or read a book instead. The internet doesn’t care about you. People do.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews