WHO Chief Impersonated in Phishing to Deliver HawkEye Malware

An ongoing phishing campaign delivering emails posing as official messages from the Director-General of the World Health Organization (WHO) is actively spreading HawkEye malware payloads onto the devices of unsuspecting victims.

This spam campaign started today according to researchers at IBM X-Force Threat Intelligence who spotted it and it has already delivered several waves of spam emails attempting to pass as being delivered by WHO. 

"HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors," IBM X-Force's research team previously said.

Malspam promising coronavirus prevention and cure instructions

The emails come with archive attachments containing a Coronavirus Disease (Covid-19) CURE.exe executable described by the attackers as a "file with the instructions on common drugs to take for prevention and fast cure to this deadly virus called Coronavirus Disease (COVID-19)."

"This is an instruction from  WHO (World Health Organization) to help figth against coronavirus," the phishing emails also add.

The targets are also asked to review the attached file and follow the enclosed instructions, as well as forward it to family and friends to share the "instructions" needed to fight the virus.

"These emails claiming to be from the World Health Organization are being delivered personalized by addressing the recipient by a username stripped out of the email address," IBM X-Force researchers found.

However, instead of coronavirus drug advice, the executable actually is a HawkEye keylogger loader with anti-VM and anti-sandbox capabilities that will attempt to turn off Windows Defender via registry and to disable scans and updates using PowerShell.

Collects and exfiltrates credentials and keystrokes

The final HawkEye payload, an executable named GqPOcUdjXrGtqjINREXuj.exe,  is loaded from the resource section of a Bitmap image and injected using Process Hollowing.

The HawkEye sample analyzed by IBM X-Force is capable of capturing keystrokes on infected devices, but it can also capture screenshots and steal user credentials from a wide range of applications and from the system clipboard.

The malware will harvest credentials from web browsers and email clients such as Firefox, Thunderbird, Postbox, SeaMonkey, WaterFox, PaleMoon, and more. All the data it collects is encrypted and sent to its operators by email via the SMTP protocol.

"The sample can download other malware from http://ypsmKO[.]com, the downloaded malware will be saved at %temp%Svf," the researchers add.

"The malware's configuration data and other important settings such as the SMTP server, email address, and password used are AES encrypted and stored in an array."

In December 2019, HawkEye ranked seventh in the top 10 of the most prevalent threats in 2019 based on the number of samples uploaded to the interactive malware analysis platform Any.Run.

Annual TOP10 threats by uploads to ANYRUN!

1#Emotet 36026
2#AgentTesla 10324
3#NanoCore 6527
#LokiBot 5693
#Ursnif 4185
#FormBook 3548
#HawkEye 3388
#AZORult 2898
#TrickBot 2510
#njRAT 2355https://t.co/Kx0pJYckBW

— ANY.RUN (@anyrun_app) December 23, 2019

Previous HawkEye campaigns

The HawkEye information-stealing malware (also known as Predator Pain) has been used by threat actors to infect victims and sold on dark web markets and hacking forums since at least 2013.

HawkEye's developers regularly update the malware with fixes and new capabilities and advertise it as a system monitoring solution with data exfiltration features.

Attackers have previously targeted businesses on a worldwide scale with the HawkEye malware in two malspam campaigns running from April and May 2019.

They used Estonian spam servers to deliver malicious spam emails disguised as messages from Spanish banks or legitimate companies and distributing both HawkEye Reborn v8.0 and HawkEye Reborn v9.0.

"Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward," said Cisco Talos about the HawkEye Reborn v9 malware.

"HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts."

Comments are closed.