Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

WHO chief emails claiming to offer coronavirus drug advice plant keyloggers on your PC

Fraudsters are trying to capitalize on fears surrounding the illness in new phishing campaigns.

Emails claiming to be from the leader of the World Health Organization (WHO) are making the rounds in new phishing campaigns designed to plant keyloggers on your PC. 

A new campaign spotted by IBM X-Force researchers this week is ongoing and involves a new variant of HawkEye malware. 

HawkEye is a keylogger and credential-stealing malware that is usually spread through fraudulent emails and malicious Microsoft Word, Excel, PowerPoint, and RTF files. Once installed on a victim's machine, the malware will attempt to steal email and browser credentials including those used in IE, Chrome, Safari, and Firefox. 

The keylogger is able to log keystrokes, capture screenshots, and send stolen data to its operators through encrypted email. 

In previous campaigns, HawkEye has been deployed through phishing messages relating to airline ticket confirmations and bank communication. However, as panic surrounding COVID-19 increases, threat actors have decided to take advantage of the pandemic. 

The latest variant of the malicious code is being spread through emails masquerading as official messages from Dr. Tedros Adhanom Ghebreyesus, the Director-General of WHO.

See also: Coronavirus: Business and technology in a pandemic

The active campaign is new, having begun on Thursday. Several waves of the scam emails have been spotted, and there may be more to come. 

ibm2.jpg

While the spelling mistakes are a giveaway for fake messages, if a victim opens the archive attachment, they will find an .exe file called "Coronavirus Disease (Covid-19) CURE.exe" contained within. 

CNET: Amazon's first coronavirus case in a US warehouse could complicate shipping

The .exe file contains a .NET executable that acts as the HawkEye loader, obfuscated via ConfuserEx and Cassandra protector. Once executed, the loader springs another executable into action, Interfaces2‎.dll, and loads a Bitmap image containing embedded assembly code. 

"The image is parsed by columns from top to bottom, starting from the leftmost column to go to the right," the researchers say. "For each pixel thus encountered, if the color of these (including the alpha channel) is different from the color of the pixel, a (0, 0), or in the upper left corner, adds three bytes to the payload array. The three bytes are, in order: the red, green, and blue channel of the pixel."

RGB values are used to generate payload bytes, excluding transparent pixels entirely. 

TechRepublic: Global HR leaders respond to coronavirus: 48% of employers require sick leave for COVID-19

The decoded payload elicited from the image file is ReZer0V2.exe, a program designed to try and turn off Windows Defender. The sample, which also contains anti-sandbox and anti-virtual machine (VM) features, will then inject HawkEye into specific running processes. 

"Speaking of prevention drugs and cures in an email that is spoofed to appear directly from the Director of the WHO in this current situation is expected to be highly successful," IBM says, with a note towards countries less well-equipped to deal with a COVID-19 outbreak. 

COVID-19 scams are rife. In recent weeks, Cashapp scammers are using the coronavirus as an attention-grabber for fake giveaways, and in Canada, doorstep scam artists are claiming to offer residents coronavirus test kits.

At the time of writing, COVID-19 has spread to 169 countries and regions, with over 245,000 confirmed cases. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0