"It's been 1 month since the news about Heartbleed bug broke and you needed to change your passwords for your cricial accounts," the email states. "Now it's time to change your passwords once more to make sure your new passwords are put in place after sites protected themselves from the Heartbleed bug. It is possible that your computer might still be infected by the virus and as such your password is at risk. Please open the attachment in this email and run the Heartbleed virus removal tool inside."
As the researchers note, the email targets victims who don't have enough technical knowledge to understand that the Heartbleed bug isn't malware and can't infect computers.
The attachment appears to be an innocent-seeming .docx file, but clicking on it opens an encrypted zip file containing the executable heartbleedbugremovaltool.exe. If that file is opened, it downloads a keylogger in the background while a popup appears with a progress bar that eventually states, "heart bleed bug not found. Your Computer is Clean."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"After the fake removal tool gives a clean bill of health users may feel relieved that their computers are not infected; however, this couldn’t be further from the truth as they now have a keylogger recording keystrokes and taking screen shots and sending confidential information to a free hosted email provider," explains Symantec's Joseph Graziano.