Light Dark
May 27, 2019 By Limor Kessem
Ashkan Vila
3 min read
Threat Intelligence

IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world. In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. The industries targeted in April 2019 campaigns observed by X-Force included transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors. Botnet monetization of this sort is rather common nowadays, with various gangs collaborating with one another to maximize their potential profits.

Reborn … Yet Again

HawkEye has been around for the past six years. It is a commercial offering peddled in the dark web by a development and support crew that continually improves its code, adds modules and supplements it with stealth capabilities. In 2018, after a lull in activity in 2017, HawkEye was back with a new version and name: Hawkeye Reborn v8.

But while HawkEye started out with one “owner” in its earlier years, it was eventually sold off in December 2018 to a new owner, an actor going by the online alias CerebroTech. The latter changed the version number to HawkEye Reborn v9.0, updated the terms of service for the sale of the malware, and presently distributes it on the dark web and through resellers. CerebroTech appears to be releasing frequent fixes to the malware as part of serving dubious buyers in the darker enclaves of the web.

The Target: Business Users

Having analyzed malspam messages distributing HawkEye, X-Force researchers can note that the operators behind the campaign are targeting business users. In the cybercrime arena, most financially motivated threat actors are focused on businesses because that is where they can make larger profits than attacks on individual users. Businesses have more data, many users on the same network and larger bank accounts that criminals prey on. X-Force is not surprised to see HawkEye operators follow the trend that’s become somewhat of a cybercrime norm.

To gain the trust of potential new victims, malspam messages came disguised as an email from a large bank in Spain, but other messages carrying HawkEye infections came in various formats, including fake emails from legitimate companies or from other banks.

X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts. The following image is a schematic view of that flow.

A technical description of the infection routine with relevant indicators of compromise (IoCs) can be accessed on X-Force Exchange.

The IP addresses originating the malspam came from Estonia, while users were targeted in countries around the globe. For HawkEye, which can be operated by any number of actors because it is a commercial offering, these details change in every campaign. That being said, a few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets. It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns.

Keeping Up With Malspam Campaigns

Malware infection campaigns are a daily occurrence in the cybercrime arena, and defenders know they are bound to run into more of them than they can possibly count. Why keep up with campaigns at all?

Threat intelligence on phishing and malware campaigns can help bolster the organization’s first lines of defense by helping security teams:

  • Block malicious and suspicious IPs from interacting with their users.
  • Expect and warn about trending attacks and educate both management and users on new formats and ploys.
  • Become aware of new attack tactics, techniques and procedures (TTPs) to better assess business risk relevant to the organization as cybercriminals evolve their arsenals.

Want to learn more? Join us on IBM X-Force Exchange

 |  |  |  |  |  |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM
Ashkan Vila
Security Analyst – IBM

More from Threat Intelligence
July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature