A new phishing campaign impersonating the Director-General of the World Health Organisation (WHO) is delivering HawkEye malware.
According to researchers at IBM X-Force Threat Intelligence, the spam campaign was launched yesterday, and has already delivered a vast amount of spam emails.
The emails include attachments containing a Coronavirus Disease (COVID-19) CURE.exe executable, a “file with the instructions on common drugs to take for prevention and fast cure to this deadly virus called Coronavirus Disease COVID-19).”
The phishing email adds that the instructions are from WHO.
Recipients of the email are asked to review the file, follow the instructions, and forward it to family and friends.
However, the attachment is actually a HawkEye keylogger loader with anti-sandbox and anti-VM capabilities that will attempt to turn off Windows Defender, and disable scans and updates using PowerShell.
IBM X-Force analysed a HawkEye sample and discovered that it is capable of capturing keystrokes on compromised devices, in addition to capturing screenshots and stealing user credentials from a wide range of applications.
HawkEye will harvest credentials from email clients and web browsers, encrypt it and then send it to its operators.
“It is remarkable how threat actors play with the fears and hopes of their potential victims. Speaking of prevention drugs and cures in an email that is spoofed to appear directly from the Director of the WHO, in this current situation is expected to be highly successful,” concluded IBM X-Force.
“Especially in countries where COVID-19 has impacted large numbers, the hope of finding a vaccine, cure or even drugs, are stronger. Unfortunately, those hopes are shattered by the fact, that victims once infected with the keylogger will face the loss of critical personal information. This can have even more damaging consequences once their financial information is stolen and exposed.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.