A new campaign spotted by IBM X-Force researchers this week is ongoing and involves a new variant of HawkEye malware.
HawkEye is a keylogger and credential-stealing malware that is usually spread through fraudulent emails and malicious Microsoft Word, Excel, PowerPoint, and RTF files. Once installed on a victim's machine, the malware will attempt to steal email and browser credentials including those used in IE, Chrome, Safari, and Firefox.
The keylogger is able to log keystrokes, capture screenshots, and send stolen data to its operators through encrypted email.
In previous campaigns, HawkEye has been deployed through phishing messages relating to airline ticket confirmations and bank communication. However, as panic surrounding increases, threat actors have decided to take advantage of the pandemic.
The latest variant of the malicious code is being spread through emails masquerading as official messages from Dr. Tedros Adhanom Ghebreyesus, the Director-General of WHO.
The active campaign is new, having begun on Thursday. Several waves of the scam emails have been spotted, and there may be more to come.
While the spelling mistakes are a giveaway for fake messages, if a victim opens the archive attachment, they will find an .exe file called "Coronavirus Disease (Covid-19) CURE.exe" contained within.
The .exe file contains a .NET executable that acts as the HawkEye loader, obfuscated via ConfuserEx and Cassandra protector. Once executed, the loader springs another executable into action, Interfaces2.dll, and loads a Bitmap image containing embedded assembly code.
"The image is parsed by columns from top to bottom, starting from the leftmost column to go to the right," the researchers say. "For each pixel thus encountered, if the color of these (including the alpha channel) is different from the color of the pixel, a (0, 0), or in the upper left corner, adds three bytes to the payload array. The three bytes are, in order: the red, green, and blue channel of the pixel."
RGB values are used to generate payload bytes, excluding transparent pixels entirely.
The decoded payload elicited from the image file is ReZer0V2.exe, a program designed to try and turn off Windows Defender. The sample, which also contains anti-sandbox and anti-virtual machine (VM) features, will then inject HawkEye into specific running processes.
"Speaking of prevention drugs and cures in an email that is spoofed to appear directly from the Director of the WHO in this current situation is expected to be highly successful," IBM says, with a note towards countries less well-equipped to deal with a COVID-19 outbreak.
COVID-19 scams are rife. In recent weeks, Cashapp scammers are using the coronavirus as an attention-grabber for fake giveaways, and in Canada, doorstep scam artists are claiming to offer residents coronavirus test kits.
At the time of writing, COVID-19 has spread to 169 countries and regions, with over 245,000 confirmed cases.
Previous and related coverage
- How to track the coronavirus: Dashboard delivers real-time view of the deadly virus
- Roundup: Coronavirus COVID-19 pandemic delivers array of cybersecurity challenges
- Coronavirus tech conference cancellations list: Apple WWDC, Microsoft Build, E3, NAB, Gartner, Dell World and more
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0