COVID-19 Themed HawkEye Phishing Campaign Targets Healthcare Sector: Dissection of the MalDoc and the Two-Way Approach

Overview

Threat actors continue to utilize COVID-19-themed lures to distribute malware as the world responds to the Coronavirus pandemic. Anomali researchers have identified a phishing campaign that is distributing HawkEye malware via Rich Text Format (RTF) documents. This campaign is interesting because HawkEye is a commodity malware with customizable features that is used by numerous threat actors and groups, which makes attribution difficult. Furthermore, threat actors can manipulate Tactics, Techniques, and Procedures (TTPs) to specific campaigns. Anomali researches found that this campaign appears to be targeting multiple organizations in the healthcare sector.

The Infection Chain
Figure 1 - The Infection Chain

Technical Analysis

Anomali researchers identified that a recipient (name of which has been redacted) received the COVID-19-themed email, shown below in Figure 2, entitled “CORONA VIRUS CURE FOR CHINA, ITALY” with an attachment called “CORONA TREATMENT.doc.” Researchers observed through the recipient email, which has been redacted from this piece, that the target company is a medical university. In addition, the actor(s) behind this campaign are purporting to be Dr. Jin, from the Research Hospital in Israel, which the actor misspelled in the email.

Malspam Email
Figure 2 - Malspam Email

Analysis into the attached document revealed that it is an RTF document, Figure 3. This particular variant seems to be using the objupdate switch to make the Object Linking and Embedding (OLE) object trigger while the parent document is being loaded, shown below in Figure 4. This is interesting because most RTF utilize exploits to activate the OLEs.

RTF Header
Figure 3 - RTF Header

The objupdate Switch Within the RTF Doc
Figure 4 - The objupdate Switch Within the RTF Doc

Shown in Figure 5 below, the document was embedded with five OLE objects that all appeared to be macro-enabled Excel sheets with the same hash value and size. Moreover, the embedded objects seem to be residing within the footer section of the document itself.

Embedded OLE Objects
Figure 5 - Embedded OLE Objects

As suspected, while opening the Word document, the Excel sheet embedded within the document was loaded and immediately displayed a notification to enable the macro.

The Macro Notification While the Doc. is Opening
Figure 6 - The Macro Notification While the Doc. is Opening

The macro notification will popup, shown above in Figure 6, multiple times even though the user closes the notification or clicks the disable button. The five previously-discussed embedded OLE objects (Figure 5), are the evidence of where these pop-ups originate. Each of these objects have random strings inside, as shown in Figure 7 below.

The Five Embedded OLE Objects Within the Footer Section of the Doc
Figure 7 - The Five Embedded OLE Objects Within the Footer Section of the Doc

Figure 7 shows that all of the objects have now been identified to be the same Excel sheet and macro. Additional analysis of the macro was conducted to find the reasoning behind the random strings inside the objects. Anomali researchers found that the actor(s) created a lot of spacing within the macro codes, possibly as an anti-analysis/anti-detection technique (Figure 8).

Original Macro Code
Figure 8 - Original Macro Code

Additional analysis of the macro code, shown below in Figure 9, revealed an interesting variable to examine.

The Variable Mohair and Its Corresponding Value
Figure 9 - The Variable Mohair and Its Corresponding Value

The variable Mohair is assigned to the random strings. Therefore, the strings were residing in the sheet called vMYVb at the 134th Row and 8th Column (Column H), as shown below in Figure 10.

Sheet Random String Location
Figure 10 - Sheet Random String Location

Further code review shows that these random strings were deobfuscated while the macro was rendering.

After live-code debugging, the Mohair variable was found to contain the deobfuscated PowerShell script ready to execute by the call, Shell Mohair, Figure 11.

Debug Output of the Macro
Figure 11 - Debug Output of the Macro

This PowerShell script is interesting because it is still in an obfuscated state inside the macro, Figure 12. The script contains a variable called $efd38 that also appears to be obfuscated.

Deobfuscated Powershell Script from the Macro
Figure 12 - Deobfuscated Powershell Script from the Macro

The same above script was called in action while the macro was executed from the worksheet. Figure 13 below shows the PowerShell instance rendering the obfuscated code.

The Powershell Process Calling the Script
Figure 13 - The Powershell Process Calling the Script

Additional debugging lead researchers to deobfuscate the variable that revealed Windows .NET language code, shown in Figure 14.

.NET Code Deduced from the Powershell Script
Figure 14 - .NET Code Deduced from the Powershell Script

The .NET was executed via PowerShell and compiled with the help of a csc.exe instance. The .NET code reveals that it will initiate a call to the URL onlinepreneur[.]id/manager/brain.exe.

As of this writing, the above URL is not working and hence, researchers emulated and recreated the malicious URL communication and tracked the stages of the infection chain.

Emulated Output of the Powershell Script Download Request to the URL
Figure 15 - Emulated Output of the Powershell Script Download Request to the URL

By analyzing the deobfuscated code, shown above in Figure 15, the payload was found to be saved within the targeted machine’s path: C:Users<username>AppDataRoaming and will rename the payload to v5cfb6.exe after being downloaded.

Figure 16 below shows that the PowerShell process did copy and rename the malicious executable to the directory mentioned above.

The Powershell Process Renames and Saves the EXE Into the Specified Folder
Figure 16 - The Powershell Process Renames and Saves the EXE Into the Specified Folder

Lastly, the payload was executed from the machine, Figure 17.

The Malicious Process
Figure 17 - The Malicious Process

The Properties of the Malicious EXE Process
Figure 18 - The Properties of the Malicious EXE Process

The actor appeared to be patient in creating each level of the infection chain to obtain his/her objective, the installation of the HawkEye malware.

Potential attribution of this activity is difficult because HawkEye is a publicly-available malware, and thus used by numerous actors with various motivations. However, HawkEye is primarily an information-stealing malware with multiple capabilities. While the primary function of Hawkeye is to gather credentials from email and web browser applications, it can also be configured to do Antivirus (AV) bypass, Bitcoin wallet theft, and keylogging, amongst others.

Reverse Analysis within ThreatStream Threat Intelligence Platform

Anomali researchers used the ThreatStream Threat Intelligence Platform (TIP) to reemphasize our findings. The below analysis shows how ThreatStream can correlate and add context to a malicious indicator.

The malicious executable’s (v5cfb6.exe, Hawkeye) hash from the analysis shown above was added as an indicator into the Investigation section within the ThreatStream.

The Malware Hash Added to ThreatStream Investigation
Figure 19 - The Malware Hash Added to ThreatStream Investigation

A quick VirusTotal (VT) enrichment of the hash (Figure 19) reveals that it is associated with domain onlinepreneur[.]id. This domain matches the analysis conducted in the above section. Apart from that, the platform correlated and identified nine other file hashes associated with the current domain, as shown below in Figure 20. This finding may indicate that an active campaign is ongoing In The Wild (ITW).

Pivoting Off of the Domain Revealed an Addition Nine Hashes
Figure 20 - Pivoting Off of the Domain Revealed an Addition Nine Hashes

As observed in Figure 21, the domain linked automatically to the VT detected URL in question.

The Domain Enriched to Identify the Associated URL
Figure 21 - The Domain Enriched to Identify the Associated URL

Moreover, the AV detection names of the identified hashes suggest that this malware is referred to as the Hawkeye Keylogger malware. In addition, there were a few other relevant URLs associated.

Malware Detection Names
Figure 22 - Malware Detection Names

ThreatStream has an intelligent Threat Model framework, with curated and associated observables for each of the defined Threat Models. The below screenshot, Figure 23, shows that the hash was clearly associated with the Threat Model as HawkEye in multiple instances, strengthening the conclusion that this is HawkEye malware.

The Threat Model HawkEye Malware was Derived Through Enrichment
Figure 23 - The Threat Model HawkEye Malware was Derived Through Enrichment

Further investigation (Figure 24) shows there were four HawkEye Threat Bulletins associated with the domain in question. This provides more certainty that this is HawkEye.

The Threat Bulletins Associated to the Domain Were Enriched
Figure 24 - The Threat Bulletins Associated to the Domain Were Enriched

ThreatStream has a well-designed and developed MITRE integration, and these associations contain specific TTPs attributed by the Anomali Community Researchers. After additional enrichment and association searches, it was evident that the observables were related to spearphishing and spam mail campaigns, Figure 25.

TTPs Associated With the Domain
Figure 25 - TTPs Associated With the Domain

Spearphishing Attachment TTP
Figure 26 - Spearphishing Attachment TTP

The IP Address Associated With the Domain
Figure 27 - The IP Address Associated With the Domain

COVID-19 Campaign Correlated Between Enriched Observables
Figure 28 - COVID-19 Campaign Correlated Between Enriched Observables

After conducting ThreatStream analysis, two angles of research for a single campaign became evident. The Initial Threat vector, which was a spam mail, was the beginning of the analysis. Analysis conducted on the malicious attachment revealed that malware was HawkEye.

For the second analysis method, researchers moved into the opposite direction by using ThreatStream to reemphasize our findings using a different approach. Researchers took the result of the initial analysis, which was a hash value of the malicious executable, and investigated in ThreatStream. The investigation was enriched further to reveal the initial infection vector as a COVID-19 themed spearphishing campaign, without needing the initial spam email.

Conclusion

This analysis depicts just one campaign in which actors are utilizing COVID-19 related themes in attempts to infect unsuspecting email recipients. The TTPs utilized in this campaign appear to show a moderate-level of actor sophistication and relevant global topics. Therefore, Anomali researchers wish to share as much Coronavirus-related threat intelligence as possible to assist the community. The actor(s) behind this campaign are targeting the healthcare sector, however, we cannot confirm that other sectors have not been targeted as well.

In addition to the relevant Indicators of Compromise (IOC) listed below, Anomali has identified, collected, curated, and compiled over 6,000 IOCs related to the worldwide COVID-19- themed campaigns that still persist. The initial findings are publicly available here.

Indicators of Compromise

Domain
onlinepreneur[.]id

URL
hxxp://onlinepreneur[.]id/manager/brain.exe

IP Address
45.64.97.178

Hashes
CORONA TREATMENT.doc
0B9E5849D3AD904D0A8532A886BD3630C4EEC3A6FAF0CC68658F5EE4A5E803BE

Embedded macro enabled worksheet
497cd119e5245f9a7bc64b3f04ff48653e88b345e222362a1fcbbf55c3155026

brain.exe
81934e5965f655408e2c0125cac069e00d26a0c30fced893080fb9b089e26772

Hawkeye Spyware C2
zakir@perfectfashion-bd[.]com

Subscribe to the Anomali Newsletter

Get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now