IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world. In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. The industries targeted in April 2019 campaigns observed by X-Force included transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors. Botnet monetization of this sort is rather common nowadays, with various gangs collaborating with one another to maximize their potential profits.

Reborn … Yet Again

HawkEye has been around for the past six years. It is a commercial offering peddled in the dark web by a development and support crew that continually improves its code, adds modules and supplements it with stealth capabilities. In 2018, after a lull in activity in 2017, HawkEye was back with a new version and name: Hawkeye Reborn v8.

But while HawkEye started out with one “owner” in its earlier years, it was eventually sold off in December 2018 to a new owner, an actor going by the online alias CerebroTech. The latter changed the version number to HawkEye Reborn v9.0, updated the terms of service for the sale of the malware, and presently distributes it on the dark web and through resellers. CerebroTech appears to be releasing frequent fixes to the malware as part of serving dubious buyers in the darker enclaves of the web.

The Target: Business Users

Having analyzed malspam messages distributing HawkEye, X-Force researchers can note that the operators behind the campaign are targeting business users. In the cybercrime arena, most financially motivated threat actors are focused on businesses because that is where they can make larger profits than attacks on individual users. Businesses have more data, many users on the same network and larger bank accounts that criminals prey on. X-Force is not surprised to see HawkEye operators follow the trend that’s become somewhat of a cybercrime norm.

To gain the trust of potential new victims, malspam messages came disguised as an email from a large bank in Spain, but other messages carrying HawkEye infections came in various formats, including fake emails from legitimate companies or from other banks.

X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts. The following image is a schematic view of that flow.

A technical description of the infection routine with relevant indicators of compromise (IoCs) can be accessed on X-Force Exchange.

The IP addresses originating the malspam came from Estonia, while users were targeted in countries around the globe. For HawkEye, which can be operated by any number of actors because it is a commercial offering, these details change in every campaign. That being said, a few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets. It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns.

Keeping Up With Malspam Campaigns

Malware infection campaigns are a daily occurrence in the cybercrime arena, and defenders know they are bound to run into more of them than they can possibly count. Why keep up with campaigns at all?

Threat intelligence on phishing and malware campaigns can help bolster the organization’s first lines of defense by helping security teams:

  • Block malicious and suspicious IPs from interacting with their users.
  • Expect and warn about trending attacks and educate both management and users on new formats and ploys.
  • Become aware of new attack tactics, techniques and procedures (TTPs) to better assess business risk relevant to the organization as cybercriminals evolve their arsenals.

Want to learn more? Join us on IBM X-Force Exchange

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today