HawkEye Malware Operators Renew Attacks on Business Users

By May 27, 2019 No Comments

May 27, 2019 & #8211; Limk Kessem & #8211; IBM


HawkEye Malware Operators Renew Attacks on Business Users


IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting companies worldwide. In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users with the goal of infecting them with advanced keylogging malware that can also download additional malware onto their devices. Industries targeted by X-Force's April 2019 campaigns included transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

HawkEye is designed to steal information from infected devices, but it can also be used as a uploader, leveraging its botnets to scan other malware on the device as a service for third-party cybercrime actors. Monetization of botnets of this type is quite common today, with several gangs collaboratingwith each other to maximize their potential profits.


 HawkEye Malware: Renaissance & #8230; once again

HawkEye malware has been around for six years. It's a commercial offering sold on the dark web by a development and support team that continually improves your code, adds modules, and complements them with invisible features. In 2018, after a break in activity in 2017, HawkEye was back with a new version and name: Hawkeye Reborn v8.

But while HawkEye started with a & #8220; owner & #8221; In its early years, it was eventually sold in December 2018 to a new owner, an actor working with the online alias CerebroTech. The latter changed the version number to HawkEye Reborn v9.0, updated the terms of service for the sale of malware and currently distributes it on the dark web and through resellers. CerebroTech appears to be releasing frequent malware fixes as part of serving dubious buyers in the darkest enclaves on the web.

 HawkEye Malware & #8211; The Target: Business Users

Having analyzed the spam messages transmitted by HawkEye, X-Force researchers can see that the operators behind the campaign are targeting corporate users. In the cybercrime arena, most financially motivated threat agents are focused on companies, because that is where they can make bigger profits than attacks on individual users. Companies have more data, many users on the same network, and larger bank accounts than criminals use. X-Force is not surprised to see that HawkEye operators follow the trend that has become something of a cybercrime norm.

To gain the trust of potential new victims, sparse messages came disguised as email from a major bank in Spain, but other messages with HawkEye infections came in a variety of formats, including fake emails from legitimate companies or other banks.

X-Force researchers note that the infection process is based on several executable files that leverage malicious PowerShell scripts . The following image is a schematic view of this flow.

Fluxo de HawkEye


A technical description of the infection routine with relevant indicators of impairment (IoCs) can be accessed on X-Force Exchange .

The spamming IP addresses came from Estonia, while users were targeted to countries around the world. For HawkEye, which can be operated by any number of actors because it is a commercial offering, these details change in every campaign. That said, some campaigns reviewed by X-Force in April and May 2019 show that the infrastructure from which spam originates is hosted on similar assets. HawkEye operators may pay more for other services from the malware vendor, or from another cybercrime vendor that serves spam campaigns.

 HawkEye Malware: Keeping Up with Malspam Campaigns

Malware infection campaigns are a daily occurrence in the cybercrime arena, and advocates know they are forced to find more than they can count on. Why track campaigns?

Threat intelligence in phishing and malware campaigns can help strengthen the first lines of defense helping the security teams:

  • Block suspicious and malicious IPs from interacting with your users.
  • Expect and warn of trend attacks and educate both management and users about new formats and strategies.
  • Learn about new attack tactics, techniques, and procedures (TTPs) to better assess the business risks relevant to your organization as cybercriminals develop their arsenals.


Regarding the [SAFEWAY]

SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.

Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!