Cybercriminals Using WHO Alias For Phishing Campaign

Summary

In yet another scam perpetrated by cybercriminals, the guise of being the World Health Organization has popped up again. Malwarebytes has uncovered a phishing scam that is similar to a previously discovered malspam campaign reported by the MalwareHunterTeam.

Credit:

The information has been provided by Threat Intelligence Team and Dave Bales

The original article can be found at:https://exchange.xforce.ibmcloud.com/collection/Cybercriminals-Using-WHO-Alias-For-Phishing-Campaign-8b845ba8a35732542582e8cdaad3d969

The original article can be found at: https://blog.malwarebytes.com/social-engineering/2020/03/cybercriminals-impersonate-world-health-organization-to-distribute-fake-coronavirus-e-book/


Details
Overview
Malspam campaigns taking advantage of the coronavirus as the theme seems to be the new normal for cybercriminals. The latest campaign, using the appearance of coming from the WHO, is also not unique. This campaign, along with another, is distributed using the GuLoader. The email contains a ZIP file containing what seems to be an ebook on the “Latest on corona-virus” titled MyHealth-Ebook.zip. Contained within the body of the message is the promise of complete research on the global pandemic as well as information on how to protect businesses and children. The threat actors go so far as to provide a “sample” of the ebook within the body of the email as well. The email also states the attachment is only available for download and viewing from Windows computers. GuLoader, is used as the delivery mechanism for the actual malware, Formbook. Formbook is an infostealer used for its plethora of capabilities including keylogging, stealing browser data, and Windows clipboard information theft. The data stolen is sent back to a C2 server. The research team noted several tell-tale signs such as spelling errors, grammatical mistakes, and mixed fonts that raise suspicion. For more information, see the report listed in the Reference section below.
Indicators of Compromise

Mal de1b53282ea75d2d3ec517da813e70bb56362ffb27e4862379903c38a346384d

URL drive.google.com/uc?export=download&id=1vljQdfYJV76IqjLYwk74NUvaJpYBamtE

Recommendations
  • Do not click or open links in mails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.
  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IOCs in your environment.
  • Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
  • Keep applications and operating systems running at the current released patch level.