Light Dark
May 27, 2019 By Limor Kessem
Ashkan Vila
3 min read
Threat Intelligence

IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world. In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. The industries targeted in April 2019 campaigns observed by X-Force included transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors. Botnet monetization of this sort is rather common nowadays, with various gangs collaborating with one another to maximize their potential profits.

Reborn … Yet Again

HawkEye has been around for the past six years. It is a commercial offering peddled in the dark web by a development and support crew that continually improves its code, adds modules and supplements it with stealth capabilities. In 2018, after a lull in activity in 2017, HawkEye was back with a new version and name: Hawkeye Reborn v8.

But while HawkEye started out with one “owner” in its earlier years, it was eventually sold off in December 2018 to a new owner, an actor going by the online alias CerebroTech. The latter changed the version number to HawkEye Reborn v9.0, updated the terms of service for the sale of the malware, and presently distributes it on the dark web and through resellers. CerebroTech appears to be releasing frequent fixes to the malware as part of serving dubious buyers in the darker enclaves of the web.

The Target: Business Users

Having analyzed malspam messages distributing HawkEye, X-Force researchers can note that the operators behind the campaign are targeting business users. In the cybercrime arena, most financially motivated threat actors are focused on businesses because that is where they can make larger profits than attacks on individual users. Businesses have more data, many users on the same network and larger bank accounts that criminals prey on. X-Force is not surprised to see HawkEye operators follow the trend that’s become somewhat of a cybercrime norm.

To gain the trust of potential new victims, malspam messages came disguised as an email from a large bank in Spain, but other messages carrying HawkEye infections came in various formats, including fake emails from legitimate companies or from other banks.

X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts. The following image is a schematic view of that flow.

A technical description of the infection routine with relevant indicators of compromise (IoCs) can be accessed on X-Force Exchange.

The IP addresses originating the malspam came from Estonia, while users were targeted in countries around the globe. For HawkEye, which can be operated by any number of actors because it is a commercial offering, these details change in every campaign. That being said, a few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets. It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns.

Keeping Up With Malspam Campaigns

Malware infection campaigns are a daily occurrence in the cybercrime arena, and defenders know they are bound to run into more of them than they can possibly count. Why keep up with campaigns at all?

Threat intelligence on phishing and malware campaigns can help bolster the organization’s first lines of defense by helping security teams:

  • Block malicious and suspicious IPs from interacting with their users.
  • Expect and warn about trending attacks and educate both management and users on new formats and ploys.
  • Become aware of new attack tactics, techniques and procedures (TTPs) to better assess business risk relevant to the organization as cybercriminals evolve their arsenals.

Want to learn more? Join us on IBM X-Force Exchange

 |  |  |  |  |  |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM
Ashkan Vila
Security Analyst – IBM

More from Threat Intelligence
November 12, 2024

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

October 16, 2024

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature