April 9, 2020
Winston Marydasan & Gage Mele

COVID-19 Themed HawkEye Phishing Campaign Targets Healthcare Sector: Dissection of the MalDoc and the Two-Way Approach

<h2>Overview</h2><p>Threat actors continue to utilize COVID-19-themed lures to distribute malware as the world responds to the Coronavirus pandemic. Anomali researchers have identified a phishing campaign that is distributing <strong>HawkEye</strong> malware via Rich Text Format (RTF) documents. This campaign is interesting because HawkEye is a commodity malware with customizable features that is used by numerous threat actors and groups, which makes attribution difficult. Furthermore, threat actors can manipulate Tactics, Techniques, and Procedures (TTPs) to specific campaigns. Anomali researches found that this campaign appears to be targeting multiple organizations in the healthcare sector.</p><p style="text-align: center;"><em><img alt="The Infection Chain" src="https://cdn.filestackcontent.com/ejYZMYJ7RWu1n8EmaEeE"/><br/> Figure 1 - The Infection Chain</em></p><h2>Technical Analysis</h2><p>Anomali researchers identified that a recipient (name of which has been redacted) received the COVID-19-themed email, shown below in Figure 2, entitled “CORONA VIRUS CURE FOR CHINA, ITALY” with an attachment called “CORONA TREATMENT.doc.” Researchers observed through the recipient email, which has been redacted from this piece, that the target company is a medical university. In addition, the actor(s) behind this campaign are purporting to be Dr. Jin, from the Research Hospital in Israel, which the actor misspelled in the email.</p><p style="text-align: center;"><em><img alt="Malspam Email" src="https://cdn.filestackcontent.com/8VH5lIbITxeYAWem0YNj"/><br/> Figure 2 - Malspam Email</em></p><p>Analysis into the attached document revealed that it is an RTF document, Figure 3. This particular variant seems to be using the <strong>objupdate</strong> switch to make the Object Linking and Embedding (OLE) object trigger while the parent document is being loaded, shown below in Figure 4. This is interesting because most RTF utilize exploits to activate the OLEs.</p><p style="text-align: center;"><em><img alt="RTF Header" src="https://cdn.filestackcontent.com/EU6xpngqQ5eO5QHBPh4t"/><br/> Figure 3 - RTF Header</em></p><p style="text-align: center;"><em><img alt="The objupdate Switch Within the RTF Doc" src="https://cdn.filestackcontent.com/sMvWBwYCQ7ebbGFjRSDO"/><br/> Figure 4 - The objupdate Switch Within the RTF Doc</em></p><p>Shown in Figure 5 below, the document was embedded with five OLE objects that all appeared to be macro-enabled Excel sheets with the same hash value and size. Moreover, the embedded objects seem to be residing within the footer section of the document itself.</p><p style="text-align: center;"><em><img alt="Embedded OLE Objects" src="https://cdn.filestackcontent.com/zWkU3tWMQuq3QHCxrI4q"/><br/> Figure 5 - Embedded OLE Objects</em></p><p>As suspected, while opening the Word document, the Excel sheet embedded within the document was loaded and immediately displayed a notification to enable the macro.</p><p style="text-align: center;"><em><img alt="The Macro Notification While the Doc. is Opening" src="https://cdn.filestackcontent.com/rB9n4IMQSWAvKndBh9ed"/><br/> Figure 6 - The Macro Notification While the Doc. is Opening</em></p><p>The macro notification will popup, shown above in Figure 6, multiple times even though the user closes the notification or clicks the disable button. The five previously-discussed embedded OLE objects (Figure 5), are the evidence of where these pop-ups originate. Each of these objects have random strings inside, as shown in Figure 7 below.</p><p style="text-align: center;"><em><img alt="The Five Embedded OLE Objects Within the Footer Section of the Doc" src="https://cdn.filestackcontent.com/A1pwVej1R9qhcuaw5OeV"/><br/> Figure 7 - The Five Embedded OLE Objects Within the Footer Section of the Doc</em></p><p>Figure 7 shows that all of the objects have now been identified to be the same Excel sheet and macro. Additional analysis of the macro was conducted to find the reasoning behind the random strings inside the objects. Anomali researchers found that the actor(s) created a lot of spacing within the macro codes, possibly as an anti-analysis/anti-detection technique (Figure 8).</p><p style="text-align: center;"><em><img alt="Original Macro Code" src="https://cdn.filestackcontent.com/jSMEwDhMRrK6EHBFjDqr"/><br/> Figure 8 - Original Macro Code</em></p><p>Additional analysis of the macro code, shown below in Figure 9, revealed an interesting variable to examine.</p><p style="text-align: center;"><em><img alt="The Variable Mohair and Its Corresponding Value" src="https://cdn.filestackcontent.com/CApFdEZVTUy2ykPSEu3F"/><br/> Figure 9 - The Variable Mohair and Its Corresponding Value</em></p><p>The variable <strong>Mohair</strong> is assigned to the random strings. Therefore, the strings were residing in the sheet called <strong>vMYVb</strong> at the 134th Row and 8th Column (Column H), as shown below in Figure 10.</p><p style="text-align: center;"><em><img alt="Sheet Random String Location" src="https://cdn.filestackcontent.com/WjUgxd62Q7uthEx0dLfQ"/><br/> Figure 10 - Sheet Random String Location</em></p><p>Further code review shows that these random strings were deobfuscated while the macro was rendering.</p><p>After live-code debugging, the <strong>Mohair</strong> variable was found to contain the deobfuscated PowerShell script ready to execute by the call, <strong>Shell Mohair</strong>, Figure 11.</p><p style="text-align: center;"><em><img alt="Debug Output of the Macro" src="https://cdn.filestackcontent.com/AuWXhLrnSQm0cxE2ef4D"/><br/> Figure 11 - Debug Output of the Macro</em></p><p>This PowerShell script is interesting because it is still in an obfuscated state inside the macro, Figure 12. The script contains a variable called <strong>$efd38</strong> that also appears to be obfuscated.</p><p style="text-align: center;"><em><img alt="Deobfuscated Powershell Script from the Macro" src="https://cdn.filestackcontent.com/lpe1GUy2QY2UYLHntBuh"/><br/> Figure 12 - Deobfuscated Powershell Script from the Macro</em></p><p>The same above script was called in action while the macro was executed from the worksheet. Figure 13 below shows the PowerShell instance rendering the obfuscated code.</p><p style="text-align: center;"><em><img alt="The Powershell Process Calling the Script" src="https://cdn.filestackcontent.com/5IqtxBtgSTzgQe4Gt9Dy"/><br/> Figure 13 - The Powershell Process Calling the Script</em></p><p>Additional debugging lead researchers to deobfuscate the variable that revealed Windows .NET language code, shown in Figure 14.</p><p style="text-align: center;"><em><img alt=".NET Code Deduced from the Powershell Script" src="https://cdn.filestackcontent.com/pGHVSqriRBeR2KCV7Mmh"/><br/> Figure 14 - .NET Code Deduced from the Powershell Script</em></p><p>The .NET was executed via PowerShell and compiled with the help of a <strong>csc.exe</strong> instance. The .NET code reveals that it will initiate a call to the URL <strong>onlinepreneur[.]id/manager/brain.exe.</strong></p><p>As of this writing, the above URL is not working and hence, researchers emulated and recreated the malicious URL communication and tracked the stages of the infection chain.</p><p style="text-align: center;"><em><img alt="Emulated Output of the Powershell Script Download Request to the URL" src="https://cdn.filestackcontent.com/ZStTJZ0qQmewvYEdnf4X"/><br/> Figure 15 - Emulated Output of the Powershell Script Download Request to the URL</em></p><p>By analyzing the deobfuscated code, shown above in Figure 15, the payload was found to be saved within the targeted machine’s path: <strong>C:Users<username>AppDataRoaming</username></strong> and will rename the payload to <strong>v5cfb6.exe</strong> after being downloaded.</p><p>Figure 16 below shows that the PowerShell process did copy and rename the malicious executable to the directory mentioned above.</p><p style="text-align: center;"><em><img alt="The Powershell Process Renames and Saves the EXE Into the Specified Folder" src="https://cdn.filestackcontent.com/Zub7UFKRM29wnRVKRBb7"/><br/> Figure 16 - The Powershell Process Renames and Saves the EXE Into the Specified Folder</em></p><p>Lastly, the payload was executed from the machine, Figure 17.</p><p style="text-align: center;"><em><img alt="The Malicious Process" src="https://cdn.filestackcontent.com/ikHV9IsfRNa5Fu8gtHeQ"/><br/> Figure 17 - The Malicious Process</em></p><p style="text-align: center;"><em><img alt="The Properties of the Malicious EXE Process" src="https://cdn.filestackcontent.com/aKbWhFQRThqFM5ZVKZxB"/><br/> Figure 18 - The Properties of the Malicious EXE Process</em></p><p>The actor appeared to be patient in creating each level of the infection chain to obtain his/her objective, the installation of the <strong>HawkEye</strong> malware.</p><p>Potential attribution of this activity is difficult because HawkEye is a publicly-available malware, and thus used by numerous actors with various motivations. However, HawkEye is primarily an information-stealing malware with multiple capabilities. While the primary function of Hawkeye is to gather credentials from email and web browser applications, it can also be configured to do Antivirus (AV) bypass, Bitcoin wallet theft, and keylogging, amongst others.</p><h2>Reverse Analysis within ThreatStream Threat Intelligence Platform</h2><p>Anomali researchers used the ThreatStream Threat Intelligence Platform (TIP) to reemphasize our findings. The below analysis shows how ThreatStream can correlate and add context to a malicious indicator.</p><p>The malicious executable’s (<strong>v5cfb6.exe</strong>, Hawkeye) hash from the analysis shown above was added as an indicator into the <strong>Investigation</strong> section within the ThreatStream.</p><p style="text-align: center;"><em><img alt="The Malware Hash Added to ThreatStream Investigation" src="https://cdn.filestackcontent.com/PHYAyf79RV2WTUnUEHbG"/><br/> Figure 19 - The Malware Hash Added to ThreatStream Investigation</em></p><p>A quick VirusTotal (VT) enrichment of the hash (Figure 19) reveals that it is associated with domain <strong>onlinepreneur[.]id</strong>. This domain matches the analysis conducted in the above section. Apart from that, the platform correlated and identified nine other file hashes associated with the current domain, as shown below in Figure 20. This finding may indicate that an active campaign is ongoing In The Wild (ITW).</p><p style="text-align: center;"><em><img alt="Pivoting Off of the Domain Revealed an Addition Nine Hashes" src="https://cdn.filestackcontent.com/V3hDb44eTCuOLZj5GKdh"/><br/> Figure 20 - Pivoting Off of the Domain Revealed an Addition Nine Hashes</em></p><p>As observed in Figure 21, the domain linked automatically to the VT detected URL in question.</p><p style="text-align: center;"><em><img alt="The Domain Enriched to Identify the Associated URL" src="https://cdn.filestackcontent.com/cUP8Vr3hR9WgFsFOoXfX"/><br/> Figure 21 - The Domain Enriched to Identify the Associated URL</em></p><p>Moreover, the AV detection names of the identified hashes suggest that this malware is referred to as the Hawkeye Keylogger malware. In addition, there were a few other relevant URLs associated.</p><p style="text-align: center;"><em><img alt="Malware Detection Names" src="https://cdn.filestackcontent.com/kCljR8OXTOZ44mEpqOmg"/><br/> Figure 22 - Malware Detection Names</em></p><p>ThreatStream has an intelligent Threat Model framework, with curated and associated observables for each of the defined Threat Models. The below screenshot, Figure 23, shows that the hash was clearly associated with the Threat Model as <strong>HawkEye</strong> in multiple instances, strengthening the conclusion that this is HawkEye malware.</p><p style="text-align: center;"><em><img alt="The Threat Model HawkEye Malware was Derived Through Enrichment" src="https://cdn.filestackcontent.com/t4Z8xbOuRAmrv8HMxAM3"/><br/> Figure 23 - The Threat Model HawkEye Malware was Derived Through Enrichment</em></p><p>Further investigation (Figure 24) shows there were four HawkEye Threat Bulletins associated with the domain in question. This provides more certainty that this is HawkEye.</p><p style="text-align: center;"><em><img alt="The Threat Bulletins Associated to the Domain Were Enriched" src="https://cdn.filestackcontent.com/9oN7PTbSa6acEVUL3hAQ"/><br/> Figure 24 - The Threat Bulletins Associated to the Domain Were Enriched</em></p><p>ThreatStream has a well-designed and developed MITRE integration, and these associations contain specific TTPs attributed by the Anomali Community Researchers. After additional enrichment and association searches, it was evident that the observables were related to spearphishing and spam mail campaigns, Figure 25.</p><p style="text-align: center;"><em><img alt="TTPs Associated With the Domain" src="https://cdn.filestackcontent.com/zn04SXtjR46Fx5fmgXvB"/><br/> Figure 25 - TTPs Associated With the Domain</em></p><p style="text-align: center;"><em><img alt="Spearphishing Attachment TTP" src="https://cdn.filestackcontent.com/dW1J2TaFTWS30EXbUFW1"/><br/> Figure 26 - Spearphishing Attachment TTP</em></p><p style="text-align: center;"><em><img alt="The IP Address Associated With the Domain" src="https://cdn.filestackcontent.com/BUY0E53SYmVY7rA0poSD"/><br/> Figure 27 - The IP Address Associated With the Domain</em></p><p style="text-align: center;"><em><img alt="COVID-19 Campaign Correlated Between Enriched Observables" src="https://cdn.filestackcontent.com/nBDdq7UtRqiYI167GFYH"/><br/> Figure 28 - COVID-19 Campaign Correlated Between Enriched Observables</em></p><p>After conducting ThreatStream analysis, two angles of research for a single campaign became evident. The Initial Threat vector, which was a spam mail, was the beginning of the analysis. Analysis conducted on the malicious attachment revealed that malware was HawkEye.</p><p>For the second analysis method, researchers moved into the opposite direction by using ThreatStream to reemphasize our findings using a different approach. Researchers took the result of the initial analysis, which was a hash value of the malicious executable, and investigated in ThreatStream. The investigation was enriched further to reveal the initial infection vector as a COVID-19 themed spearphishing campaign, without needing the initial spam email.</p><h2>Conclusion</h2><p>This analysis depicts just one campaign in which actors are utilizing COVID-19 related themes in attempts to infect unsuspecting email recipients. The TTPs utilized in this campaign appear to show a moderate-level of actor sophistication and relevant global topics. Therefore, Anomali researchers wish to share as much Coronavirus-related threat intelligence as possible to assist the community. The actor(s) behind this campaign are targeting the healthcare sector, however, we cannot confirm that other sectors have not been targeted as well.</p><p>In addition to the relevant Indicators of Compromise (IOC) listed below, Anomali has identified, collected, curated, and compiled over 6,000 IOCs related to the worldwide COVID-19- themed campaigns that still persist. The <a href="https://www.anomali.com/blog/anomali-aggregates-open-source-threat-intelligence-to-fight-covid-19-themed-cyber-attacks">initial findings are publicly available here</a>.</p><h2>Indicators of Compromise</h2><p><strong>Domain</strong><br/> onlinepreneur[.]id</p><p><strong>URL</strong><br/> hxxp://onlinepreneur[.]id/manager/brain.exe</p><p><strong>IP Address</strong><br/></p><p><strong>Hashes</strong><br/> CORONA TREATMENT.doc<br/> 0B9E5849D3AD904D0A8532A886BD3630C4EEC3A6FAF0CC68658F5EE4A5E803BE</p><p>Embedded macro enabled worksheet<br/> 497cd119e5245f9a7bc64b3f04ff48653e88b345e222362a1fcbbf55c3155026</p><p>brain.exe<br/> 81934e5965f655408e2c0125cac069e00d26a0c30fced893080fb9b089e26772</p><p><strong>Hawkeye Spyware C2</strong><br/> zakir@perfectfashion-bd[.]com</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.