LTS Secure Warning: Financial Motivation Gives Birth to New Version of the Infamous Hawkeye Malware

The malware is developed with the intent to harvest confidential information as well as account credentials & has always posed a serious threat to individuals & organization around the world. Recently, security researchers have seen a surge in infection campaigns that are making use of the new HawkEye Reborn V9 malware.

 

Technical Details

The HawkEye kit has seen many developments since its birth in 2013 to aid it in its ability to spy & steal data from its victims. The latest iteration makes use of protocols like FTP, SMTP & HTTP, to transmit the sensitive information stolen from the various applications available on the victim machine. To spread the malware, the attacker shared a fake letter, which seems to originate from banks and other organization. The mail is attached with the malicious attachment, which is converted from PDF to PNG and then to LNK. After clicking on the attachment, it secretly launches the keylogger & in order to distract the user, a fake invoice is being displayed on the screen.

The malware makes use of two main exe files:-

  • mshta.exe – Is a power shell script makes a connection to the attcaker C&C server hosted on AWS.
  • gvg.exe – Contains an Autolt script, which initiates the keylogger every time the device is turned on.

 

Impact

  • It captures real time as well as offline keystrokes.
  • It will steal your credentials / confidential data and sends to the remote attacker.
  • Details such as username, privileges, country, IP& MAC address, OS, hardware data, installed browsers, antivirus, and firewalls are transmitted to the attacker.
  • Propagates via storage devices like USB to increase its impact radius.
  • It affects your System Performance as well as functionality.

 

Recommended Actions

  • Always update your anti-virus software with the latest releases.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mail-spam.
  • Periodically run “full system scan” on your endpoints.