Ahmed Sonbol

Malspam delivers Hawkeye keylogger

Blog Post created by Ahmed Sonbol Employee on Jun 30, 2017

Malspam activity was noted this week delivering Hawkeye to infected machines. Hawkeye is a commodity keylogger that can be used to steal a victim sensitive information. This threat advisory will discuss its delivery mechanism and will show how the traffic looks in NetWitness Logs and Packets.


This delivery document has an embedded malicious macro that launches a powershell script. Submitting the document to What's This File service shows a high threat score:



The powershell script is used to download an executable from a delivery domain. An infection scenario that's shared among different malspam campaigns. Here is the process tree:



Here's the download session in NetWitness Logs and Packets:



Using the "View Files" option to get the checksum of the downloaded file:



This report from hybrid-analysis.com suggests it is a Hawkeye variant. The hunting pack registered the following meta for this download session indicating highly suspicious traffic:



The fact that the executable is recently compiled can also be noticed when submitting the file to What's This File service:



It is worth mentioning that this domain directlink[.]cz has been used to deliver different kinds of malware. Here is the activity in NetWitness Logs and Packets for this week:



While the directory remained the same, filenames varied from one download session to another:




Here is a list of some of the delivered payloads (SHA256):




This delivery domain was added to RSA FirstWatch Command and Control Domains on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

Further reading:

1. How I Cracked a Keylogger and Ended Up in Someone's Inbox 

2. Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs - Security News - Trend Micro… 

3. The “HawkEye” attack: how cybercrooks target small businesses for big money – Naked Security