Overview
Threat actors continue to utilize COVID-19-themed lures to distribute malware as the world responds to the Coronavirus pandemic. Anomali researchers have identified a phishing campaign that is distributing HawkEye malware via Rich Text Format (RTF) documents. This campaign is interesting because HawkEye is a commodity malware with customizable features that is used by numerous threat actors and groups, which makes attribution difficult. Furthermore, threat actors can manipulate Tactics, Techniques, and Procedures (TTPs) to specific campaigns. Anomali researches found that this campaign appears to be targeting multiple organizations in the healthcare sector.
Figure 1 - The Infection Chain
Technical Analysis
Anomali researchers identified that a recipient (name of which has been redacted) received the COVID-19-themed email, shown below in Figure 2, entitled “CORONA VIRUS CURE FOR CHINA, ITALY” with an attachment called “CORONA TREATMENT.doc.” Researchers observed through the recipient email, which has been redacted from this piece, that the target company is a medical university. In addition, the actor(s) behind this campaign are purporting to be Dr. Jin, from the Research Hospital in Israel, which the actor misspelled in the email.
Figure 2 - Malspam Email
Analysis into the attached document revealed that it is an RTF document, Figure 3. This particular variant seems to be using the objupdate switch to make the Object Linking and Embedding (OLE) object trigger while the parent document is being loaded, shown below in Figure 4. This is interesting because most RTF utilize exploits to activate the OLEs.
Figure 3 - RTF Header
Figure 4 - The objupdate Switch Within the RTF Doc
Shown in Figure 5 below, the document was embedded with five OLE objects that all appeared to be macro-enabled Excel sheets with the same ..
Support the originator by clicking the read the rest link below.