With the outbreak of coronavirus, emails claiming to be from the leader of the World Health Organization (WHO) are trying to capitalize on fears surrounding the illness in new phishing campaigns designed to plant keyloggers on your PC. This keylogger, named HawkEye, is a credential-stealing malware that is usually spread through fraudulent emails and malicious Microsoft Word, Excel, PowerPoint, and RTF files.
Once installed on a victim’s machine, the malware will attempt to steal email and browser credentials including those used in IE, Chrome, Safari, and Firefox. The keylogger is able to log keystrokes, capture screenshots, and send stolen data to its operators through encrypted email. In previous campaigns, HawkEye has been deployed through phishing messages relating to airline ticket confirmations and bank communication.
However, as panic surrounding COVID-19 increases, threat actors have decided to take advantage of the pandemic. Once a victim opens the archive attachment, they will find a .exe file called “Coronavirus Disease (COVID-19) CURE.exe” contained within. The .exe file contains a .NET executable that acts as the HawkEye loader, obfuscated via ConfuserEx and Cassandra protector. Once executed, the loader springs another executable into action, Interfaces2.dll, and loads a Bitmap image containing embedded assembly code.
According to researchers, the image is parsed by columns from top to bottom, starting from the leftmost column to go to the right. For each pixel thus encountered, if the color of these, including the alpha channel, is different from the color of the pixel, a (0, 0), or in the upper left corner, adds three bytes to the payload array. The three bytes are, in order: the red, green, and blue channel of the pixel.” RGB values are used to generate payload bytes, excluding transparent pixels entirely. The decoded payload elicited from the image file is ReZer0V2.exe, a program designed to try and turn off Windows Defender. The sample, which also contains anti-sandbox and anti-virtual machine (VM) features, will then inject HawkEye into specific running processes.
COVID-19 has now spread to 169 countries and regions, with over 245,000 confirmed cases. In this case, COVID-19 scams are rife with the COVID-19 outbreak. In recent weeks, Cashapp scammers are using the coronavirus as an attention-grabber for fake giveaways, and in Canada, doorstep scam artists are claiming to offer residents coronavirus test kits.
LIFARS’ Cyber Resiliency Team can help your organization with simulating a real phishing attack to your organization and based on the results collected and our in-depth analysis of the company email system (encryption, protocols, filters, etc.), we will help optimize the system to increase the overall security posture to help keep cybercriminals from entering your network. Scenario-based phishing simulation assesses the current level of employee awareness and the strength of your network defenses. Our experts will launch targeted phishing campaigns based on real-world scenarios observed by our experts. Using both common and uncommon methods, including malicious attachments, URLs, specialized emails, as an attempt to lure your employees. Upon completion of the simulation, a detailed report is produced, complete with gaps and recommendations to elevate your security posture and awareness.
Contact LIFARS Immediately for