Severity
High
Analysis Summary
| There’s a new variant of the HawkEye keylogging malware making the rounds, featuring expanded info-stealing capabilities. Its operators are looking to capture the zeitgeist around the novel coronavirus. It’s being distributed using spam that purports to be an “alert” from the Director-General of the World Health Organization (WHO). The email campaign kicked off Thursday and has rolled out in multiple waves. The emails claim to be directly from WHO’s Dr. Tedros Adhanom Ghebreyesus, giving an update on COVID-19 infections and drug advice. The mails are personalized in the salutations in the message body, which contain a username stripped out of the email address. |
Impact
| Theft of sensitive information |
Indicators of Compromise
Domain Name
- eagleeyeapparels[.]com
- ypsmko[.]com
Source IP
- 185[.]208[.]211[.]173
- 54[.]39[.]139[.]67
URL
- http[:]//ypsmKO[.]com
Remediation
| Block the threat indicators at their respective controls. Do not respond to covid-themed emails. Do not download untrusted email attachments. |