HawkEye Keylogger is involved in attacks against business users

Experts at IBM X-Force observed a new campaign involving the HawkEye keylogger in April and May 2019 aimed at business users.

Malware attacks leveraging a new variant of the HawkEye keylogger have been observed by experts at Talos. The malware has been under active development since at least 2013 and it is offered for sale on various hacking forums as a keylogger and stealer. It allows to monitor systems and exfiltrate information.

The latest variant appeared in the cybercrime underground in December 2018, it was named HawkEyeReborn v9. The author is selling it through a licensing model and is also offering access to updates for specific periods of time.

“IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world.” reads the analysis published by Cisco Talos. “In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. “

In April 2019, threat actors launched numerous campaigns aimed at targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

Attackers delivered the keylogger through malspam campaigns focused on business users. The messages pose as messages sent from a large bank in Spain or fake emails from legitimate companies or from other financial institution.

“X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts.” continues the post.

Experts noticed that the malspam campaign is originated from Estonia, the malware while experts observed infections worldwide.

“A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets.” concludes Cisco. “It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns,” IBM concluded.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – HawkEye, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.