A new variant of Hawkeye keylogger ‘Reborn v9’ arises

• HawkEye Reborn v9 is currently marketed as an ‘Advance Monitoring Solution’ and is currently being sold using a licensing model.
• HawkEye Reborn v9 also includes a ‘Terms of Service agreement’ which forbids buyers from using the software on systems without permission and from scanning its executables using antivirus software.

A new variant of Hawkeye dubbed ‘Reborn v9’ has emerged. HawkEye Reborn v9 is currently marketed as an ‘Advance Monitoring Solution’ and is currently being sold using a licensing model. Buyers purchasing Reborn v9 will gain access to the software and updates for a specific period of time.

Worth noting

• HawkEye Reborn v9 also includes a ‘Terms of Service agreement’ which forbids buyers from using the software on systems without permission and from scanning its executables using antivirus software.
• However, threat actors have been continuously using it against various targets across the world.

The big picture

Researchers from Cisco Talos have observed ongoing malspam phishing campaigns that distribute the HawkEye Reborn keylogger/stealer. However, the current version, HawkEye Reborn v9 has been modified from earlier versions and has been heavily obfuscated to make analysis complex and difficult.

• These emails include malicious MS Excel documents disguised as invoices, bills of materials, order confirmations, and other corporate functions.
• The Excel docs exploit the well-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in Microsoft Office.
• After which, the malicious final payload ‘Hawkeye Reborn v9’ is downloaded and executed.

Reborn’s capabilities

• Reborn is capable of stealing system information and credentials from browsers, Filezilla, Beyluxe Messenger, CoreFTP and the video game ‘Minecraft’.
• It can start a keylogger and steal clipboard content.
• It can also take screenshots from the desktop and pictures from the webcam.

Researchers noted that Hawkeye Reborn v9 is still using well-known MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords.

“Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,” the researchers concluded.