Malspam hit businesses with Hawkeye keylogger

News by Rene Millman

Organisations spread across sectors including healthcare, marketing and agriculture were affected

Security researchers have discovered that hackers have used the HawkEye keylogger malware as part of a campaign targeting businesses.

According to a blog post by IBM’s X-Force, the campaign took place over April and May this year, and concentrated on sending malware-infected emails to businesses in industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others.

The researchers said that Hawkeye has been used to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cyber-crime actors.

The infected emails came disguised as from a large bank in Spain, but other messages carrying HawkEye infections came in various formats, including fake emails from legitimate companies or from other banks. The IP addresses from which the malspam originated is in Estonia, while users were targeted in countries around the world. 

An in-depth analysis of the campaign found that the emails surfaced in Spain, the US, and the United Arab Emirates for HawkEye Reborn v9. HawkEye v8 focused on targeting users in Spain.

The email body attempts to lure the recipient to open a malicious attachment named: MT103_Swift Copy_TT20180226, which is a .lnk file that was originally converted from a PDF to a PNG and finally to the LNK format.

"These conversions should also be suspicious to anyone receiving such email. Beyond the messages being unsolicited and poorly crafted, an uncommon attachment is yet another red flag," said researchers.

Researchers said that the infection process is based on a number of executable files that leverage malicious PowerShell scripts. By opening the .lnk file, PhotoViewer automatically launched and displayed the fake invoice from the gob.jpg and kxg.jpg files. Behind the scenes, an executable file named mshta.exe was dropped.

The purpose of this second executable file is to prepare PowerShell for connection to the attacker's command and control (C2) server. That server was hosted on an Amazon AWS host.

"The attacker's intention here was to load additional files from that server. To do that, the code changes the settings of system/Windows certificates as well as adds/modifies them them in the Windows Registry," said researchers.

Jake Moore, Security Specialist at ESET, told SC Media UK that keyloggers are "crafty little spies which can store everything from passwords to company secrets".

"However, when it comes to passwords, as long as companies have implemented basic security defences, such as 2FA and password managers to copy and paste them into the corresponding fields, then they should be protected from this type of attack. Keyloggers will continue to be a part of the cyber criminal’s ever-increasing toolkit until training and software can highlight and eliminate this risk," he said.

Eoin Keary, CEO and cofounder of edgescan, told SC Media UK that for this kind of threats, the best defence remains human awareness.

"Although there are many fancy solutions to protect machines from malware, guarding the entry points and blocking a threat before it makes its way into the operating system is a more effective way to avoid the downtime and monetary loss of having to deal with a breach," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews