Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Variant of HawkEye Stealer Emerges

A new variant of HawkEye, a piece of malware used for keylogging and data theft, is being leveraged in ongoing malware distribution campaigns, Cisco’s Talos security researchers warn.

A new variant of HawkEye, a piece of malware used for keylogging and data theft, is being leveraged in ongoing malware distribution campaigns, Cisco’s Talos security researchers warn.

A malware kit marketed on underground forums for the past several years, HawkEye has been under active development since at least 2013. Its main purpose is to steal and exfiltrate sensitive information from applications.

In December 2018, the malware’s owner changed and a new variant emerged on hacking forums, namely HawkEye Reborn v9. Marketed as an “Advance Monitoring Solution,” the threat is being sold through a licensing model and buyers are promised access to updates for specific periods of time.

A Terms of Service agreement is also provided, prohibiting buyers from using the software on systems without permission and from scanning its executables using antivirus programs, most likely in an attempt to prevent detection.

“Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts,” Talos notes.

Starting with the second half of 2018 and continuing into 2019, the HawkEye Reborn keylogger/stealer was observed in ongoing malicious email campaigns. Purporting to deliver invoices, bills of materials, order confirmations, and the like, the emails attempt to trick users into executing the malware.

The attackers employed malicious Microsoft Excel, RTF and DOC files as attachments for malware delivery. Some of the campaigns would use file-sharing platforms like Dropbox for hosting the documents rather than directly attaching them.

During their investigation, the security researchers discovered that the documents had similarities with previously analyzed Remcos Trojan attacks, including matching metadata and blurry documents to trick the user into enabling content.

Advertisement. Scroll to continue reading.

Many of the servers hosting HawkEye are used to host other malicious binaries as well, and many contain open directory listings revealing they are used to deliver additional stealers, RATs, and other malware.

The delivery documents attempt to exploit Office vulnerabilities such as CVE-2017-11882 to drop a heavily obfuscated payload. The keylogger also packs anti-analysis features and can disable certain anti-virus programs.

The malware attempts to exfiltrate information such as machine name, username, privileges, country, IP, MAC address, BIOS, operating system, hardware data, installed browsers, antivirus, and firewalls.

The malware also steals passwords from browsers, FileZilla, Beyluxe Messenger, CoreFTP, and the video game Minecraft. The information is sent to the attacker’s email address, Talos discovered.

The threat uses MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords.

“Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,” Talos concludes.

Related: Report Shows Increase in Email Attacks Using .com File Extensions

Related: Nigerian Hackers Attempt to Steal Millions From Shipping Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cloud and cybersecurity MSP Ekco has appointed Ben Savage as UK CEO.

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.