IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world. In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. The industries targeted in April 2019 campaigns observed by X-Force included transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors. Botnet monetization of this sort is rather common nowadays, with various gangs collaborating with one another to maximize their potential profits.

Reborn … Yet Again

HawkEye has been around for the past six years. It is a commercial offering peddled in the dark web by a development and support crew that continually improves its code, adds modules and supplements it with stealth capabilities. In 2018, after a lull in activity in 2017, HawkEye was back with a new version and name: Hawkeye Reborn v8.

But while HawkEye started out with one “owner” in its earlier years, it was eventually sold off in December 2018 to a new owner, an actor going by the online alias CerebroTech. The latter changed the version number to HawkEye Reborn v9.0, updated the terms of service for the sale of the malware, and presently distributes it on the dark web and through resellers. CerebroTech appears to be releasing frequent fixes to the malware as part of serving dubious buyers in the darker enclaves of the web.

The Target: Business Users

Having analyzed malspam messages distributing HawkEye, X-Force researchers can note that the operators behind the campaign are targeting business users. In the cybercrime arena, most financially motivated threat actors are focused on businesses because that is where they can make larger profits than attacks on individual users. Businesses have more data, many users on the same network and larger bank accounts that criminals prey on. X-Force is not surprised to see HawkEye operators follow the trend that’s become somewhat of a cybercrime norm.

To gain the trust of potential new victims, malspam messages came disguised as an email from a large bank in Spain, but other messages carrying HawkEye infections came in various formats, including fake emails from legitimate companies or from other banks.

X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts. The following image is a schematic view of that flow.

A technical description of the infection routine with relevant indicators of compromise (IoCs) can be accessed on X-Force Exchange.

The IP addresses originating the malspam came from Estonia, while users were targeted in countries around the globe. For HawkEye, which can be operated by any number of actors because it is a commercial offering, these details change in every campaign. That being said, a few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets. It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns.

Keeping Up With Malspam Campaigns

Malware infection campaigns are a daily occurrence in the cybercrime arena, and defenders know they are bound to run into more of them than they can possibly count. Why keep up with campaigns at all?

Threat intelligence on phishing and malware campaigns can help bolster the organization’s first lines of defense by helping security teams:

  • Block malicious and suspicious IPs from interacting with their users.
  • Expect and warn about trending attacks and educate both management and users on new formats and ploys.
  • Become aware of new attack tactics, techniques and procedures (TTPs) to better assess business risk relevant to the organization as cybercriminals evolve their arsenals.

Want to learn more? Join us on IBM X-Force Exchange

More from Threat Intelligence

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today