A new variant of HawkEye, a piece of malware used for keylogging and data theft, is being leveraged in ongoing malware distribution campaigns, Cisco’s Talos security researchers warn.
A malware kit marketed on underground forums for the past several years, HawkEye has been under active development since at least 2013. Its main purpose is to steal and exfiltrate sensitive information from applications.
In December 2018, the malware’s owner changed and a new variant emerged on hacking forums, namely HawkEye Reborn v9. Marketed as an “Advance Monitoring Solution,” the threat is being sold through a licensing model and buyers are promised access to updates for specific periods of time.
A Terms of Service agreement is also provided, prohibiting buyers from using the software on systems without permission and from scanning its executables using antivirus programs, most likely in an attempt to prevent detection.
“Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts,” Talos notes.
Starting with the second half of 2018 and continuing into 2019, the HawkEye Reborn keylogger/stealer was observed in ongoing malicious email campaigns. Purporting to deliver invoices, bills of materials, order confirmations, and the like, the emails attempt to trick users into executing the malware.
The attackers employed malicious Microsoft Excel, RTF and DOC files as attachments for malware delivery. Some of the campaigns would use file-sharing platforms like Dropbox for hosting the documents rather than directly attaching them.
During their investigation, the security researchers discovered that the documents had similarities with previously analyzed Remcos Trojan attacks, including matching metadata and blurry documents to trick the user into enabling content.
Many of the servers hosting HawkEye are used to host other malicious binaries as well, and many contain open directory listings revealing they are used to deliver additional stealers, RATs, and other malware.
The delivery documents attempt to exploit Office vulnerabilities such as CVE-2017-11882 to drop a heavily obfuscated payload. The keylogger also packs anti-analysis features and can disable certain anti-virus programs.
The malware attempts to exfiltrate information such as machine name, username, privileges, country, IP, MAC address, BIOS, operating system, hardware data, installed browsers, antivirus, and firewalls.
The malware also steals passwords from browsers, FileZilla, Beyluxe Messenger, CoreFTP, and the video game Minecraft. The information is sent to the attacker’s email address, Talos discovered.
The threat uses MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords.
“Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,” Talos concludes.
Related: Report Shows Increase in Email Attacks Using .com File Extensions
Related: Nigerian Hackers Attempt to Steal Millions From Shipping Firms

More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
