The email GZ attachment contains a password-protected zip (not provided in the text), with an exe inside: the malware itself. It is not known what the next payload is.
Cybercrime, domestic routers hijacked to spread coronavirus malware
Bleeping Computer: Cybercrime changes the DNS settings of D-Link or Linksys home routers to cause victims to install fake WHO APPs on the coronavirus. Objective: to install Oski malware, a trojan that steals data
A new cybercrime campaign uses coronavirus bait to install malware, by changing DNS settings of D-Link or Linksys home routers. Objective: to show the user’s browser warnings about false information regarding COVID-19, stating that it is an App controlled by the World Health Organization (WHO). Bleeping Computer reports it. If a user downloads and installs the application, he installs the Oski trojan. A malicious code with the ability to exfiltrate data. The cyber security experts of the Italian CERT-PA points out that it have access to many information: browser cookies, browser history, saved access credentials, cryptocurrency wallets, text files, 2FA authentication database and desktop screenshot.