Pierluigi Paganini April 17, 2019

A new variant of the HawkEye data stealer emerges in the threat landscape as part of ongoing malware distribution campaigns.

New malware campaigns leveraging a new variant of the HawkEye data stealer have been observed by experts at Talos. The malware has been under active development since at least 2013 and it is offered for sale on various hacking forums as a keylogger and stealer, it allows to monitor systems and exfiltrate information.

The latest variant appeared in the cybercrime underground in December 2018, it was named HawkEye Reborn v9. The author is selling it through a licensing model and is also offering access to updates for specific periods of time.

The malicious code also comes with a Terms of Service agreement that provides some additional insight, for example, the author specifies that HawkEye Reborn should only be used on systems with permission and forbid scanning the malware executables with antivirus software.

Experts at Talos observed threat actors spreading the malware via malicious email campaigns starting with the second half of 2018 and continuing into 2019.

“For several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the HawkEye Reborn keylogger/stealer.” reads the analysis published by Talos.

“The email campaigns that have been observed feature characteristics that are consistent with what is commonly seen with malspam campaigns, with the emails purporting to be associated with various documents such as invoices, bills of materials, order confirmations, and other corporate functions.”

The messages use weaponized Microsoft Excel, RTF and DOC documents to deliver the malware.

“The campaign starts with sending the aforementioned Excel sheets that exploit the well-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in Microsoft Office.” continues the analysis.

In some cases, experts observed threat actors using file-sharing platforms like Dropbox for hosting the documents rather than directly attaching them.

Talos researchers found similarities (i.e. Metadata, techniques to trick the user into enabling content) between the above documents and the ones analyzed in previous attacks distributing the Remcos Trojan.

Many of the distribution servers hosting the HawkEye binaries also contain additional stealers, RATs, and other malware.

The keylogger also implements anti-analysis features and is able to disable certain anti-virus solutions.

“As mentioned above, in the comments of the main loop section, it also comes with several anti-analysis features, including starting an anti-debugging thread or disabling certain AV-related programs via the Image File Execution Options (IFEO) evasion technique by registering invalid debuggers that redirect and effectively disable various system and security applications.” states the analysis.

The malware attempts to gather as much possible information from infected systems, including machine name, username, privileges, country, IP, MAC address, BIOS, operating system, hardware data, installed browsers, antivirus, and firewalls.

The malware also steals passwords from several browsers, including FileZilla, Beyluxe Messenger, CoreFTP, and the video game Minecraft. The stolen data is sent to the attacker’s email address.

The malware is still using the MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords. 

“Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,” Talos concludes. “HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts.”

Pierluigi Paganini

(SecurityAffairs – malware, HawkEye)

[adrotate banner=”5″]

[adrotate banner=”13″]