Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change

Jun 04, 2019
Posted by
Cyber Security

After the HawkEye malware pack experienced a proprietorship change and new development, researchers are recognizing the keylogger utilized in a few malicious email campaigns.

The HawkEye malware pack and data stealer has been seen in a freshly discovered slew of campaigns after a recent ownership change.

While the keylogger has been in ceaseless development since 2013, in December a string on a hacking site noticed a ownership change, after which posts on hacking forums started to show up, selling new versions of the pack. “HawkEye Reborn v9” sports new anti-detection features and different changes, analysts said.

“Recently changes in both the possession and advancement endeavors of the HawkEye Reborn keylogger/stealer demonstrate this is a risk that will keep on encountering continuous development and improvement pushing ahead,” said Edmund Brumaghin and Holger Unterbrink, researchers with Cisco Talos, in a Monday analysis. “HawkEye has been dynamic over the threat scene for quite a while, and will probably keep on being utilized later on as long as the developer of this pack can adapt their endeavors.”

This most recent version of HawkEye is sold through a licensing model (meaning that buyers access the product and future updates dependent on a differing layered pricing model), and is being promoted on hacking locales as an “advanced monitoring solution.”

“The current developer of the HawkEye Reborn keylogger/stealer is continuously adding support for different applications and software platforms to facilitate the theft of sensitive information and account credentials,” researchers told Threatpost. “The malware has recently undergone changes to the way in which it is obfuscated and additional anti-analysis techniques have been implemented as well.”

HawkEye Reborn v9 additionally now includes a terms-of-terms-of-service agreement: While the merchant says that the keylogger should only be used on systems with permission, the agreement likewise scanning restricts checking of HawkEye Reborn v9 executables using antivirus software.

In a further endeavor “to minimize the probability that anti-malware solutions will dtect HawkEye Reborn binaries,” researchers said that the keylogger also now accompanies a few anti-analysis features, for example, an anti-debugging thread process and the ability to disable certain antivirus-related programs.

In tandem with the ownership change of HawkEye, researchers observed a slew of campaigns from late 2018 into 2019 that involve this most recent version of the malware.

The malicious email campaigns include messages that that appear to be requesting invoices, bills of materials, request confirmations and different things identified with normal corporate function. In any case, the messages really touch base with noxious Microsoft Excel connections (which abuse a self-assertive code execution bug in Microsoft Office, CVE-2017-11882), just as RTF (Rich Text Format) or Doc documents.

Once a victim taps on the attachment, the email-senders have deliberately made the contents of the document look hazy — and the user is prompted to enable editing to have a clearer view of the contents. After they do that, the injection procedure starts, with the HaswkEye keylogger being downloaded.

The malware then snatches up sensitive information, such as the system information, passwords from common web browsers, clipboard contents, desktop screenshots, webcam pictures and account credentials.

The Cisco Talos researchers for further details about the campaigns, including how many there have been, and what victims have been targeted.

Pushing ahead, researchers warn that HawkEye will keep on developing. Be that as it may, all the more significantly, the malware kit represent to one more offering that lessens the hindrance for section for awful on-screen characters, who may not really have the programming abilities to do advanced hacks.

“In many cases, the foes utilizing these apparatuses don’t have to have programming skills or inside and in-depth computer science expertise, as they are currently being given as commercial offerings across the cybercriminal underground,” researchers said.