[BreachExchange] Hackers using HawkEye Keylogging Malware to Attack Enterprise Networks to Steal Application Data

Destry Winant destry at riskbasedsecurity.com
Tue Jun 4 06:14:20 EDT 2019 

https://gbhackers.com/hawkeye-malware-enterprise-networks/

Hackers behind the new HawkEye malware campaign targets business users
to infect them with advanced keylogging malware that could download
additional malware on the infected devices.

The HawkEye malware is capable of stealing information from the
affected devices, it act’s as a loader and also the malware fetches
other malware to the device.

X-Force observed the campaign between April and May 2019; it primarily
targets the following industries that include transportation and
logistics, healthcare, import and export, marketing, agriculture, and
others.

The malware was active since 2013, and cybercriminals circulate it in
hacking forums, the information stealer malware kit HawkEye Reborn v9
and it is heavily obfuscated.

HawkEye Malware Targets Business Users

The campaign is financially motivated, “X-Force researchers can note
that the operators behind the campaign are targeting business users”
because at business places attackers can exfiltrate more data and
larger bank accounts.

With this current malspam campaign, the message poses to be from a
large bank in Spain, it appears the threat actors targeting users from
Spain.

The spam Email appears to be originated from Spain bank carries a zip
which contains a .lnk file(a fake incoide image), once the image
opened the malware will get triggered and leverage the PowerShell to
establish a connection with attacker’s C2 server and drops additional
payloads.

HawkEye Malware Functions

- Email password stealing
- Web browser password stealing
- Keylogging and taking screenshots
- Bitcoin wallet theft
- USB propagation
- Internet download manager stealing
- JDownloader password stealing
- Anti-virus checking
- Firewall checking

According to X-Force report, the spam campaign targets all around the
globe, “Samples we checked reached users in Spain, the US, and the
United Arab Emirates for HawkEye Reborn v9. HawkEye v8 focused on
targeting users in Spain.”

More information about the BreachExchange mailing list