COVID-19 Phishing Campaign: HawkEye Keylogger Injection
I. Targeted Industries
- Higher Education
- Business Executives
- Government Officials
Amid the COVID-19 global pandemic, active phishing campaigns have surfaced. Inaccurate information is being reported including drug recommendations, cures, and updates that appear to come from the General-Director of the World Health Organization (WHO), Dr. Tedros Adhamon Ghebreyesus1. The emails mask a keylogger originating from the newly revamped Hawkeye malware2. The email preys on fear surrounding COVID-19, containing a file that claims to contain important information and even encourages forwarding to others3. Once opened, the attached file executes a series of commands that include shutting off Windows Defender and other security layers to steal information.
III. Background Information
HawkEye Keylogger is designed to log keystrokes, steal credentials from browsers and email clients, capture screenshots, and send stolen data using the SMTP protocol4. HawkEye spreads through deceitful emails and malicious files such as .doc, .pdf., .exe, and RTF files. The phishing campaign email reportedly contains a .exe file named “Coronavirus Disease (Covid-19) CURE.exe.”5 The inject is a .NET executable file, muddled by the combination of ConfuserEx and Cassandra protector, allowing it to go undetected. While injecting the keylogger, the .exe file runs a PowerShell command that disables Windows Defender and a variety of other layers of security. The delivery destination of the stolen information is encrypted within the malware using AES, which automates the transfer of the stolen data. It is expected that this phishing campaign will be highly successful.
- Update Software: Ensure anti-virus software and associated files are up to date and patched. Make sure (end-user and server) operating systems are updated with the latest security updates.
- Detection: Search for indicated IOCs in your environment and consider blocking and setting up detection for all URL and IP based IOCs at email gateways, firewalls, and on endpoints. Links to identified IOCs are included with this advisory.
- Phishing Awareness Training: Employees should be educated about new types of phishing scams as well as old schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Safe Browsing Techniques: Users should be educated on safe browsing techniques. Recommended link: https://www.us-cert.gov/ncas/tips/ST07-001
- Support Channel: Emphasize the importance of users contacting support directly if anything seems suspicious about the services provided. Provide employees with contact methods to reach out to your organization’s support.
- Virtual Private Network (VPN): Employees should be encouraged to use the VPN provided by their organization.
V. Indicators of Compromise (IOCs)
Based on current intel gathered, a minimum of 14 artifacts have been included.
Some email systems block files. Thus, the link below has been included to assist with download of the identified IOC’s related to this Threat Advisory Report.
“Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis.” (2020, March 25). Dark Reading. https://www.darkreading.com/vulnerabilities—threats/attack-surfacevulnerabilities-increase-as-orgs-respond-to-covid-19-crisis/d/d-id/1337369
“Covid-19 Drug Advice From The WHO Spoofed to Distribute Agent Tesla Info-Stealer” – IBM X-Force Collection. (n.d.). IBM X-Force Exchange. https://exchange.xforce.ibmcloud.com/collection/2f9a23ad901ad94a8668731932ab5826
“COVID19 Pandemic Leads to Massive Increase in WHO Cyberattacks.” (2020, March 25). NetSec.News. https://www.netsec.news/covid19-pandemic-leads-to-massive-increase-inwho-cyberattacks/
“COVID-19 Scam Roundup – Week of 3/16/20.” (2020, March 23). The State of Security. https://www.tripwire.com/state-of-security/security-awareness/covid-19-scamroundup-week-of-3-16-20/
2″Revamped HawkEye Keylogger Swoops in on Coronavirus Fears.” Seals, T. (2020, March 20). Threatpost https://threatpost.com/revamped-hawkeyekeylogger-coronavirus-fears/154013/
“Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic.” (2020, March 20). SentinelLabs. https://labs.sentinelone.com/threat-intel-update-cyber-attacksleveraging-the-covid-19-coronavirus-pandemic/
5″WHO chief emails claiming to offer coronavirus drug advice plant keyloggers on your PC”. (2020, March 20). ZDNet. https://www.zdnet.com/google-amp/article/who-chief-emails-claiming-to-offercoronavirus-drug-advice-plant-keyloggers-on-your-pc/
1,3″WHO Director-General Impersonated in Spam Campaign Delivering HawkEye Keylogger and Malware Downloader.” (2020, March 20). NetSec.News. https://www.netsec.news/whodirector-general-impersonated-in-spam-campaign-delivering-hawkeye-keylogger-andmalware-downloader/
This content is made available by the Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization’s specific needs. Use of this site does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.