Specialists from IBM X-Force discovered a new malicious campaign, in which cybercriminals fake letters from WHO, impersonate its CEOs Tedros Adan Gebreisus, and send users emails containing a HawkEye keylogger.
HawkEye is a credential theft program that is usually distributed through fraudulent emails and malicious Microsoft Word, Excel, PowerPoint, and RTF files.
“After installing on the victim’s computer, the malware attempts to steal the email and browser credentials, including those used by Internet Explorer, Google Chrome, Apple Safari, and Mozilla Firefox”, – report IBM X-Force experts.
While in previous campaigns, HawkEye was distributed via phishing messages on airline tickets and banking operations, now cybercriminals have exploited the panic around the coronavirus pandemic.
Emails contain an archive with the file “Coronavirus Disease (Covid-19) CURE.exe“. Inside it is a .NET executable that acts as a HawkEye loader, hidden using the ConfuserEx and Cassandra Protector tools. After execution, the loader launches the Interfaces2.dll library and loads the bitmap with the built-in assembly code.
The program ReZer0V2.exe, designed to disable Windows Defender, is extracted from the image file. The sample, which also contains sandbox and virtual machine (VM) protection features, then embeds HawkEye in certain running processes.
And also, according to a report by Chester Wisniewski from Sophos, the criminals impersonate the World Health Organization (WHO) to steal cryptocurrency donations to fight the COVID-19 pandemic.
“Fraudsters are tricking and stealing funds intended for the COVID-19 Solidarity Response Fund”, – said Chester Wisniewski.
WHO created this fund in collaboration with the UN Foundation after the agency officially classified coronavirus as a pandemic on March 11. Its main goal is to prepare the countries of the world for the fight against the virus, and especially those states in which the healthcare system is poorly developed.
Criminals ask users to make a donation by sending bitcoins directly to the address indicated in the email. Copycats also use the fake address donate@who[.]Int for greater credibility.
Although WHO provides detailed information about its Solidarity and Response Fund to Combat COVID-19, it remains unclear whether it accepts cryptocurrency donations.
Cybercriminals, of course, use the global news agenda to enrich themselves: it’s interesting that at the beginning of the year the most popular character in phishing attacks was Greta Tunberg, and now the coronavirus has practically fulfilled the activist’s wishes: less transport, less production and CO emissions. Are you satisfied, Greta?
However, according to How to Fix, some malware operators decided to show nobility, for example, Maze and DoppelPaymer ransomware suspended attacks on medical organizations.