- Hawkeye malware is primarily distributed via phishing emails.
- Its capabilities include stealing clipboard data, keystrokes, and license information from apps. It also steals browser credentials, FTP passwords, and email login credentials.
Hawkeye trojan is a keylogger as well as an info-stealer which has been active since 2015. Within a span of 1 year, this trojan was used by attackers to target almost 130 companies across 30 countries. This trojan is primarily distributed via phishing emails. Hawkeye was put up for sale on a ‘public-facing website’ for $35.
Hawkeye’s capabilities include stealing clipboard data, keystrokes, system information, IP addresses, and license information from apps. It also steals browser credentials, FTP passwords, and email login credentials. It is also capable of USB propagation, antivirus checking, firewall checking, keylogging, and taking screenshots.
Hawkeye malware was primarily used against SMB businesses across industries such as petrochemical sector, naval, military, aerospace, heavy machinery, solar energy, steel, engineering, shipping, pharmaceutical, manufacturing, trading, education, tourism, IT, and more.
The targeted countries include Spain, Pakistan, the United Arabic Emirates, India, Egypt, Australia, the United Kingdom, Germany, South Africa, Portugal, Qatar, Switzerland, the United States, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq, and Italy.
Hawkeye distribution via phishing campaign
In July 2017, researchers observed a high-volume phishing campaign distributing the Hawkeye malware. The phishing emails included a malicious DOCX attachment disguised as a recent transaction or a invoice. The DOCX attachment contained an embedded Microsoft Intermediate Language (MSIL) executable which drops the HawkEye malware once executed.
Exploiting Equation Editor to distribute Hawkeye
In November 2018, attackers exploited an old Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute Hawkeye malware and steal user credentials and clipboard data. Once the flaw was exploited, the keylogger was distributed via Rich Text Format (RTF) files embedded in PDF files with DOC extensions.
HawkEye Reborn v9
Researchers from Cisco Talos observed malspam phishing campaigns that distributed the latest version of Hawkeye ‘Hawkeye Reborn v9’. The new variant is marketed as an ‘Advance Monitoring Solution’ and is being sold using a licensing model. HawkEye Reborn v9 also includes a ‘Terms of Service agreement’ which forbids buyers from using the software on systems without permission and from scanning its executables using antivirus software.
This new variant has been modified from earlier versions and has been heavily obfuscated to make analysis complex and difficult. Researchers also noted that Hawkeye Reborn v9 is using the well-known MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email credentials.
Distribution via Malspam campaigns
In April 2019, researchers observed malspam campaigns targeting business users with the Hawkeye keylogger malware. The campaigns targeted industries including transportation and logistics, healthcare, import and export, marketing, agriculture, among others. Attackers behind this campaign were found to be using spam servers located in Estonia. The malspam emails purported to come from Spanish banks and included malicious attachments disguised as commercial invoices.
Researchers also observed a similar malspam campaign launched from a server from Turkey between February 11, 2019, and March 3, 2019.
Heaven’s Gate technique
Recently, researchers uncovered a string of malware campaigns that leveraged a technique known as ‘Heaven’s Gate’ for evasion. The technique allows malware developed in 32-bit to hide API calls in 64-bit machines. According to the researchers, one of the campaigns distributed the HawkEye Reborn keylogger. Other campaigns mainly distributed Remcos, Agent Tesla or cryptocurrency mining trojans.