All over the world cohesion is currently required from society in order to master the corona pandemic and to protect the weak from infection. Unfortunately, cybercriminals are now using the fear of infection with COVID-19 for their machinations. A large-scale phishing campaign is currently running in which e-mails are sent on behalf of the head of the World Health Organization (WHO) in order to deploy the HawkEye keylogger malware on as many computers as possible.
The campaign was discovered by security researchers from the IBM X-Force. The news is believed to be from Dr. Tedros Adhanom Ghebreyesus, Director-General of the WHO, and has the subject “Coronavirus disease (COVID-19) outbreak and cure update”. A reference is made in the text to an appendix that is intended to provide information on medication recommended for the prevention and rapid cure of the virus. This appendix has the promising name “Coronavirus Disease (COVID-19) CURE.exe” and contains an executable .NET file that then functions as a loader for HawkEye via various intermediate steps.
The malware is a keylogger that is designed to access all keyboard entries and thus also access data. Usually, it is spread via infected Word, Excel, PowerPoint, or RTF files. Once installed, it records the entry of email addresses and passwords from Internet Explorer, Chrome, Firefox, or Safari. He can record keystrokes as well as screenshots and forward them to his backers. In previous phishing campaigns in which the malware was used, booking confirmations or bank correspondence were used as bait, for example.
In the current case, a closer look at the email would be enough to detect the fake. As is so often the case, it contains spelling errors, which is unlikely with an official WHO announcement. The fact that you shouldn’t open a .exe file of unknown origin is now well known. Nevertheless, it can be assumed that the criminals will be successful with their latest scam. Many people’s fear of the coronavirus is too great and the prospect of a cure is too tempting.
DId you get already such an email? If the answer is yes, then do not open it, and delete it as soon as possible.
Protect yourself and be safe on the internet.