This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malspam delivers Hawkeye keylogger

AhmedSonbol1
Employee
Employee
‎2017-06-30 04:25 PM

Malspam activity was noted this week delivering Hawkeye to infected machines. Hawkeye is a commodity keylogger that can be used to steal a victim sensitive information. This threat advisory will discuss its delivery mechanism and will show how the traffic looks in NetWitness Logs and Packets.

 

This delivery document has an embedded malicious macro that launches a powershell script. Submitting the document to What's This File service shows a high threat score:

 

hawkeye-wtf-1.png

 

The powershell script is used to download an executable from a delivery domain. An infection scenario that's shared among different malspam campaigns. Here is the process tree:

 

hawkeye-sandbox.png

 

Here's the download session in NetWitness Logs and Packets:

 

hawkeye-session.png

 

Using the "View Files" option to get the checksum of the downloaded file:

 

hawkeye-files.png

 

This report from hybrid-analysis.com suggests it is a Hawkeye variant. The hunting pack registered the following meta for this download session indicating highly suspicious traffic:

 

hawkeye-investigate-1.png

 

The fact that the executable is recently compiled can also be noticed when submitting the file to What's This File service:

 

hawkeye-wtf-2.png

 

It is worth mentioning that this domain directlink[.]cz has been used to deliver different kinds of malware. Here is the activity in NetWitness Logs and Packets for this week:

 

hawkeye-session-list.png

 

While the directory remained the same, filenames varied from one download session to another:

 

hawkeye-filenames.png

 

 

Here is a list of some of the delivered payloads (SHA256):

 

edac9b3dfc1bb7c64159323d8768ace4858ad239daf00499b9c01358f6cdf2a8
f4d86b3ee2f474198956f982c97e801cb9dc82e886f0a733aaffc1910feff85c
2b8e82fbc69dcf059e38a85ab5fcd135b86707528e26068f6cf514b6b4df0353
1e1ba211402544a252ef52276dee0f2de1720870da50212e51835200c9f199e2
7e5525d85b0aea64bc257a36cacc107731948eca198b109e13ca3c26cc630c99
864b1ec7fb0608807a5624cc84029a5c4cde15da111e7e846c993eab8e590091
0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb
d156b5fa4ee0dad4d7971812bd7bf0171af0df6528c84bb4bfc3e97ea3b69e78

 

This delivery domain was added to RSA FirstWatch Command and Control Domains on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'


Further reading:

1. How I Cracked a Keylogger and Ended Up in Someone's Inbox 

2. Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs - Security News - Trend Micro… 

3. The “HawkEye” attack: how cybercrooks target small businesses for big money – Naked Security 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.