Malware peddlers are taking advantage of the fact that the existence of the Heartbleed bug has breached the confines of the cyber security world and has entered the awareness of Internet users around the world, and they are offering them a bogus “HeartBleed Virus Removal Tool.”
“The email warns users that while they may have done what they can by changing their passwords on the websites they use, their computer may still be ‘infected’ with the Heartbleed bug,” shared Symantec researchers. “The spam requests that the user run the Heartbleed bug removal tool that is attached to the email in order to ‘clean’ their computer from the infection.”
Unfortunately for those who do as instructed, the downloaded software (heartbleedbugremovaltool.exe) will download a keylogger in the background. In the foreground, a popup message with a progress bar simulates computer scanning, and ultimately declares the computer to be “clean.”
The keylogger is also capable of taking screenshots, and sends all the gathered confidential information to a free hosted email provider.
The attackers use a number of methods to fool users into downloading the attachment: they create a sense of urgency, the email is made to look like it is coming from a well-known password management company, the fake progress bar is used to distract from the happenings in the background.
It’s also interesting to note that the subject of the email (“Looking for Investment Opportunities from Syria”) has nothing to do with its contents.