Malspam Campaigns Use HawkEye Keylogger to Target Businesses

Attackers have been observed targeting businesses on a worldwide scale during the last two months with the HawkEye keylogger malware according to a report from IBM X-Force.

As part of the April and May malicious campaigns which focused on business users, attackers used malspam emails to target organizations from numerous industry sectors like "transportation and logistics, healthcare, import and export, marketing, agriculture, and others."

"HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors," says IBM X-Force's research team.

April and May HawkEye campaigns

The malspam campaigns which disseminate the keylogger are actively targeting business users in an effort to steal both accounts credentials and sensitive data that could be later put to use as part of account takeover or business email compromise attacks.

During the April and May Hawkeye campaigns, attackers using spam servers located in Estonia disguised the malicious spam emails as messages from Spanish banks or legitimate companies, distributing both HawkEye Reborn v8.0 and HawkEye Reborn v9.0.

While the spam emails' used generic greetings, featured poor quality text and content, and did not feature any company logos, "the spammers managed to spoof the sending address to appear to originate from a large bank's domain."

The malspam emails come with attachments containing fake commercial invoice which, once opened by the victim, will drop the HawkEye malware in the background while displaying the commercial invoice image as a distraction.

Sample malspam email
Sample malspam email

"Samples we checked reached users in Spain, the US, and the United Arab Emirates for HawkEye Reborn v9. HawkEye v8 focused on targeting users in Spain," says IBM X-Force's analysis.

To infect the victims with the keylogger/stealer malware, a mshta.exe binary dropped by PhotoViewer when the victim tries to open the fake invoice will use PowerShell to connect to the command-and-control (C2) server and drop additional malware payloads.

The malware gains persistence on the compromised system with the help of an AutoIt script in the form of an executable named gvg.exe which adds itself as an AutoRun entry to the Windows Registry, thus making sure that it will get relaunched automatically after each system restart.

The IBM X-Force researchers also discovered that "the second line in the script shows a file named AAHEP.txt. That file contains all the necessary instructions concerning the functions and commands related to the actual Hawkeye Keylogger."

Infection process
Infection process

HawkEye-powered malspam campaigns

When looking into the list indicators of compromise for the April and May 2019, the X-Force researchers found another malspam campaign launched from a server from Turkey "between February 11, 2019 and March 3, 2019" but with an IP address from the same class C network.

Coupled with the fact that both campaigns feature very similar attack patterns with emails dropping malware payloads disguised as commercial invoices which would infect the targets with an info-stealing Trojan, led the X-Force researchers to think that they are operated by the same threat actor.

Other malspam campaigns disseminating the Hawkeye keylogger were also detected by Cisco Talos during April, as well as My Online Security during May, with the latter noticed that the data was either exfiltrated to the servers of another keylogger named Spytector or that the attackers were using a compromised Spytector email to collect the stolen data.

Email sent by the Hawkeye Keylogger to its operators
Email sent by the Hawkeye Keylogger to its operators (Image: Cofense)

The HawkEye Reborn v9 malware kit

The HawkEye keylogger and information stealer malware kit has been in development since about 2013, with a multitude of new features and modules added by its developers throughout the years to boost its monitoring and data theft capabilities.

Hawkeye is being sold by its development team on dark web markets and hacking forums, and it is currently being distributed through resellers after it has changed owners in December 2018.

HawkEye Reborn v9, the latest version of the malware kit, can collect information from various applications which it then ships to its operators via protocols such as FTP, HTTP, and SMTP.

HawkEye Reborn UI
HawkEye Reborn UI

"Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward," said Cisco Talos' research team in its analysis of the HawkEye Reborn v9 keylogger/stealer malware.

"HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts."