Another coronavirus-themed phishing campaign has been detected impersonating the World Health Organization (WHO), or more specifically, the Director-General of WHO, Dr. Tedros Adhanom Ghebreyesus. The campaign was identified by security researchers at IBM X-Force Threat Intelligence who report that several waves of spam have already been delivered.
The threat actors behind the campaign are using spam emails to distribute a malware variant called HawkEye. HawkEye is first and foremost an information stealer that is used to steal a range of sensitive data from victims’ computers. HawkEye is a keylogger that records and exfiltrates keystrokes as they are typed on infected computers. HawkEye is also capable of stealing credentials from applications, including email clients, and web browsers. HawkEye malware also acts as a malware downloader and is capable of downloading a range of other malware variants through its botnet. Those malware variants can come from a variety of third-party crime actors.
HawkEye has anti-VM and anti-sandbox capabilities to evade detection. The malware will also attempt to deactivate Windows Defender via the Windows registry, and it will also disable scans and updates through PowerShell commands.
The campaign uses a coronavirus-themed lure, claiming to offer advice on preventing coronavirus infection as well as a cure. The emails claim the attached file includes a list of common medications that can be taken to provide protection against infection and act as a fast cure if people have already been infected. The messages claim, “This is an instruction from WHO (World Health Organization) to help fight against coronavirus.” The subject line of one of the emails captured by the IBM X-Force researchers was “RE: Coronavirus disease (COVID-19) outbreak prevention and cure update.”
The emails include an attachment named Coronavirus Disease (Covid-19) CURE.exe. Recipients are asked to open and review the attached file and to forward the message to friends and family members. The .exe file includes a .NET executable which is the downloader for HawkEye. This is obfuscated using ConfuserEx and Cassandra protector. When the executable as run, the malware loader executes Interfaces2.dll, which loads a Bitmap image that contains assembly code for the malware.
There are indicators that the emails are not what they seem as there are spelling mistakes and grammatical errors; however, this campaign preys on fears about the coronavirus pandemic and attempts to get recipients to act fast without thinking,
As with all unsolicited emails referencing COVID-19, coronavirus, or SARS-CoV-2, exercise extreme caution when opening the emails. Do not open email attachments or click on links contained in the emails. Obtain advice about COVID-19 from official sources such as WHO (by visiting the website directly), the Centers for Disease Control and Prevention (CDC), or health authorities and government agencies.