Threat actors continue to utilize COVID-19-themed lures to distribute malware as the world responds to the Coronavirus pandemic. Anomali researchers have identified a phishing campaign that is distributing HawkEye malware via Rich Text Format (RTF) documents. This campaign is interesting because HawkEye is a commodity malware with customizable features that is used by numerous threat actors and groups, which makes attribution difficult. Furthermore, threat actors can manipulate Tactics, Techniques, and Procedures (TTPs) to specific campaigns. Anomali researches found that this campaign appears to be targeting multiple organizations in the healthcare sector.
Figure 1 - The Infection Chain
Anomali researchers identified that a recipient (name of which has been redacted) received the COVID-19-themed email, shown below in Figure 2, entitled “CORONA VIRUS CURE FOR CHINA, ITALY” with an attachment called “CORONA TREATMENT.doc.” Researchers observed through the recipient email, which has been redacted from this piece, that the target company is a medical university. In addition, the actor(s) behind this campaign are purporting to be Dr. Jin, from the Research Hospital in Israel, which the actor misspelled in the email.
Figure 2 - Malspam Email
Analysis into the attached document revealed that it is an RTF document, Figure 3. This particular variant seems to be using the objupdate switch to make the Object Linking and Embedding (OLE) object trigger while the parent document is being loaded, shown below in Figure 4. This is interesting because most RTF utilize exploits to activate the OLEs.
Figure 3 - RTF Header
Figure 4 - The objupdate Switch Within the RTF Doc
Shown in Figure 5 below, the document was embedded with five OLE objects that all appeared to be macro-enabled Excel sheets with the same hash value and size. Moreover, the embedded objects seem to be residing within the footer section of the document itself.
Figure 5 - Embedded OLE Objects
As suspected, while opening the Word document, the Excel sheet embedded within the document was loaded and immediately displayed a notification to enable the macro.
Figure 6 - The Macro Notification While the Doc. is Opening
The macro notification will popup, shown above in Figure 6, multiple times even though the user closes the notification or clicks the disable button. The five previously-discussed embedded OLE objects (Figure 5), are the evidence of where these pop-ups originate. Each of these objects have random strings inside, as shown in Figure 7 below.
Figure 7 - The Five Embedded OLE Objects Within the Footer Section of the Doc
Figure 7 shows that all of the objects have now been identified to be the same Excel sheet and macro. Additional analysis of the macro was conducted to find the reasoning behind the random strings inside the objects. Anomali researchers found that the actor(s) created a lot of spacing within the macro codes, possibly as an anti-analysis/anti-detection technique (Figure 8).
Figure 8 - Original Macro Code
Additional analysis of the macro code, shown below in Figure 9, revealed an interesting variable to examine.
Figure 9 - The Variable Mohair and Its Corresponding Value
The variable Mohair is assigned to the random strings. Therefore, the strings were residing in the sheet called vMYVb at the 134th Row and 8th Column (Column H), as shown below in Figure 10.
Figure 10 - Sheet Random String Location
Further code review shows that these random strings were deobfuscated while the macro was rendering.
After live-code debugging, the Mohair variable was found to contain the deobfuscated PowerShell script ready to execute by the call, Shell Mohair, Figure 11.
Figure 11 - Debug Output of the Macro
This PowerShell script is interesting because it is still in an obfuscated state inside the macro, Figure 12. The script contains a variable called $efd38 that also appears to be obfuscated.
Figure 12 - Deobfuscated Powershell Script from the Macro
The same above script was called in action while the macro was executed from the worksheet. Figure 13 below shows the PowerShell instance rendering the obfuscated code.
Figure 13 - The Powershell Process Calling the Script
Additional debugging lead researchers to deobfuscate the variable that revealed Windows .NET language code, shown in Figure 14.
Figure 14 - .NET Code Deduced from the Powershell Script
The .NET was executed via PowerShell and compiled with the help of a csc.exe instance. The .NET code reveals that it will initiate a call to the URL onlinepreneur[.]id/manager/brain.exe.
As of this writing, the above URL is not working and hence, researchers emulated and recreated the malicious URL communication and tracked the stages of the infection chain.
Figure 15 - Emulated Output of the Powershell Script Download Request to the URL
By analyzing the deobfuscated code, shown above in Figure 15, the payload was found to be saved within the targeted machine’s path: C:Users<username>AppDataRoaming and will rename the payload to v5cfb6.exe after being downloaded.
Figure 16 below shows that the PowerShell process did copy and rename the malicious executable to the directory mentioned above.
Figure 16 - The Powershell Process Renames and Saves the EXE Into the Specified Folder
Lastly, the payload was executed from the machine, Figure 17.
Figure 17 - The Malicious Process
Figure 18 - The Properties of the Malicious EXE Process
The actor appeared to be patient in creating each level of the infection chain to obtain his/her objective, the installation of the HawkEye malware.
Potential attribution of this activity is difficult because HawkEye is a publicly-available malware, and thus used by numerous actors with various motivations. However, HawkEye is primarily an information-stealing malware with multiple capabilities. While the primary function of Hawkeye is to gather credentials from email and web browser applications, it can also be configured to do Antivirus (AV) bypass, Bitcoin wallet theft, and keylogging, amongst others.
Reverse Analysis within ThreatStream Threat Intelligence Platform
Anomali researchers used the ThreatStream Threat Intelligence Platform (TIP) to reemphasize our findings. The below analysis shows how ThreatStream can correlate and add context to a malicious indicator.
The malicious executable’s (v5cfb6.exe, Hawkeye) hash from the analysis shown above was added as an indicator into the Investigation section within the ThreatStream.
Figure 19 - The Malware Hash Added to ThreatStream Investigation
A quick VirusTotal (VT) enrichment of the hash (Figure 19) reveals that it is associated with domain onlinepreneur[.]id. This domain matches the analysis conducted in the above section. Apart from that, the platform correlated and identified nine other file hashes associated with the current domain, as shown below in Figure 20. This finding may indicate that an active campaign is ongoing In The Wild (ITW).
Figure 20 - Pivoting Off of the Domain Revealed an Addition Nine Hashes
As observed in Figure 21, the domain linked automatically to the VT detected URL in question.
Figure 21 - The Domain Enriched to Identify the Associated URL
Moreover, the AV detection names of the identified hashes suggest that this malware is referred to as the Hawkeye Keylogger malware. In addition, there were a few other relevant URLs associated.
Figure 22 - Malware Detection Names
ThreatStream has an intelligent Threat Model framework, with curated and associated observables for each of the defined Threat Models. The below screenshot, Figure 23, shows that the hash was clearly associated with the Threat Model as HawkEye in multiple instances, strengthening the conclusion that this is HawkEye malware.
Figure 23 - The Threat Model HawkEye Malware was Derived Through Enrichment
Further investigation (Figure 24) shows there were four HawkEye Threat Bulletins associated with the domain in question. This provides more certainty that this is HawkEye.
Figure 24 - The Threat Bulletins Associated to the Domain Were Enriched
ThreatStream has a well-designed and developed MITRE integration, and these associations contain specific TTPs attributed by the Anomali Community Researchers. After additional enrichment and association searches, it was evident that the observables were related to spearphishing and spam mail campaigns, Figure 25.
Figure 25 - TTPs Associated With the Domain
Figure 26 - Spearphishing Attachment TTP
Figure 27 - The IP Address Associated With the Domain
Figure 28 - COVID-19 Campaign Correlated Between Enriched Observables
After conducting ThreatStream analysis, two angles of research for a single campaign became evident. The Initial Threat vector, which was a spam mail, was the beginning of the analysis. Analysis conducted on the malicious attachment revealed that malware was HawkEye.
For the second analysis method, researchers moved into the opposite direction by using ThreatStream to reemphasize our findings using a different approach. Researchers took the result of the initial analysis, which was a hash value of the malicious executable, and investigated in ThreatStream. The investigation was enriched further to reveal the initial infection vector as a COVID-19 themed spearphishing campaign, without needing the initial spam email.
This analysis depicts just one campaign in which actors are utilizing COVID-19 related themes in attempts to infect unsuspecting email recipients. The TTPs utilized in this campaign appear to show a moderate-level of actor sophistication and relevant global topics. Therefore, Anomali researchers wish to share as much Coronavirus-related threat intelligence as possible to assist the community. The actor(s) behind this campaign are targeting the healthcare sector, however, we cannot confirm that other sectors have not been targeted as well.
In addition to the relevant Indicators of Compromise (IOC) listed below, Anomali has identified, collected, curated, and compiled over 6,000 IOCs related to the worldwide COVID-19- themed campaigns that still persist. The initial findings are publicly available here.
Indicators of Compromise
Embedded macro enabled worksheet
Hawkeye Spyware C2