Malspam campaigns target business users with Hawkeye keylogger

• Attackers behind this campaign were found to be using spam servers located in Estonia.
• The targeted industries include transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

Researchers from IBM X-Force have observed malspam campaigns targeting business users with the Hawkeye keylogger malware during the last two months.

The targeted industries include transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

The big picture

The malspam campaigns distribute Hawkeye keyloggers in order to steal accounts credentials and sensitive data from business users, which can be later used in BEC scams and account takeover attacks.

• Attackers behind this campaign were found to be using spam servers located in Estonia.
• The malspam emails purported to come from Spanish banks and legitimate companies.
• The emails include malicious attachments that contain fake commercial invoices.
• Upon opening the malicious invoice, HawkEye Reborn v8.0 or HawkEye Reborn v9.0 gets dropped on the victim’s machine, while displaying the commercial invoice image on the display screen.
• To infect the victims with the Hawkeye keylogger, a mshta.exe binary gets dropped by PhotoViewer when the victim tries to open the fake invoice.
• This binary will use PowerShell to communicate with the C&C server and drop additional malware payloads.
• Hawkeye keylogger malware gains persistence on the compromised system with the help of an AutoIt script in the form of an executable named gvg.exe.

“Samples we checked reached users in Spain, the US, and the United Arab Emirates for HawkEye Reborn v9. HawkEye v8 focused on targeting users in Spain,” IBM X-Force researchers said.

Researchers also observed another malspam campaign launched from a server from Turkey between February 11, 2019, and March 3, 2019. This campaign leveraged similar attack patterns with emails dropping malware payloads disguised as commercial invoices.

Hawkeye keylogger

The HawkEye keylogger malware has been in development since about 2013, with the malware authors adding a multitude of new features and modules to enhance its capabilities.

“HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors,” researchers said.