Are Passwords in Danger When the Hawkeye Keylogger Attacks?

The HawkEye keylogger has been around for about six years now and despite the fact that some would say it has silly name (for a malicious program), it's not just a simple hacking tool developed by a teenage computer whizz who is trying to make a nuisance of himself. It's a fully-fledged cybercrime service that is offered on the dark web. It has terms of service, the developers release updates and fixes on a regular basis, and there's even a support team ready to help out with any problems.

In late 2018, the original gang sold the entire HawkEye operation to a cybercriminal who goes by the nickname CerebroTech, and according to researchers from IBM's X-Force team, the new owner's business is doing rather well. In April and May they intercepted quite a few emails delivering the keylogger, and they reckon that they are witnessing two separate spam campaigns launched by different cybercriminal groups.

Criminals use both HawkEye v8 and HawkEye v9

The researchers noted that while some of the spam was infecting users with the latest version of the keylogger (HawkEye v9), the rest of the messages carried the previous generation (HawkEye v8). There were differences in the infection chain as well.

With the emails delivering HawkEye v8, the crooks are trying to impersonate a Spanish bank, and apparently, they're not doing a very good job. Although they took the time to spoof the email address, the bank's logo is missing, and the text isn't properly formatted, which could tip some of the victims off. That said, the infection mechanism is rather clever. The email comes with a ZIP attachment which contains an LNK file (a Windows shortcut). When opened, the LNK file distracts the victim by displaying an image that looks like a legitimate document sent by the bank. In the background, however, it contacts the crooks' Command & Control server (C&C) and downloads a few executable files which eventually complete the infection.

The crooks running the HawkEye v9 campaign did a better job of impersonating a variety of different businesses in their spam messages, but they decided not to overcomplicate things with an elaborate, multi-stage infection mechanism. Instead, their emails come with attached macro-enabled Excel spreadsheets.

Both campaigns target businesses rather than regular users. The HawkEye v8 spam is aimed squarely at organizations based in Spain while the criminals spreading HawkEye v9 also target companies in the US and the United Arab Emirates.

HawkEye is as powerful as ever

The researchers didn't share too many details around the differences between HawkEye v8 and HawkEyev9. It's fair to say, however, that both versions are rather powerful. The payload is injected into a .NET Framework service which makes detection more difficult. The malware creates a TXT file in the %AppData% folder which collects all the recorded keystrokes. A module for Mozilla Thunderbird allows the criminals to spread the payload further using the victim's email address, and another tool records Firefox's browsing history. This way, the crooks can not only log people's passwords; they can also see where the victims are when they're entering their login credentials. IBM noted that if the crooks decide to download additional payloads, HawkEye can act as a dropper as well.

In 2017, the HawkEye infection rate dropped dramatically, and many people thought that that was the end of that. About two years later, it's obvious that this isn't really the case. HawkEye is here to stay, and it's riding on a wave of spam which means that employees at organizations everywhere need to be especially wary of the email attachments they open.