loader gif

Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities

Government Sector in Central Asia Targeted With New HAWKBALL Backdoor
Delivered via Microsoft Office Vulnerabilities (Malware and Vulnerabilities)

Figure 6: Verify whether malware is running as a system profile If the malware is running as a system profile, the string d0c from the decrypted config file is used to create the mutex. Figure 8: Network request The network request is formed with four parameters in the format shown in Figure 9. Table 1: GET request parameters If the returned response is 200, then the malware sends another GET request (Figure 10) with the following parameters (Figure 11). Figure 11: Second GET request parameters formation Table 2 shows information about the parameters. Figure 17: Get directory information Get Disk Information This command retrieves the drive information for drives C through Z along with available disk space for each drive. Figure 18: Retrieve drive information The information is stored in the following format for each drive: Format = "%d+%d+%d+%d;" Example: "8+512+6460870+16751103;" The information for all the available drives is combined and sent to the server using an operation similar to Figure 14.

loader gif