Ahmed Sonbol

Malspam delivers Hawkeye keylogger

Blog Post created by Ahmed Sonbol Employee on Jun 30, 2017

Malspam activity was noted this week delivering Hawkeye to infected machines. Hawkeye is a commodity keylogger that can be used to steal a victim sensitive information. This threat advisory will discuss its delivery mechanism and will show how the traffic looks in NetWitness Logs and Packets.

 

This delivery document has an embedded malicious macro that launches a powershell script. Submitting the document to What's This File service shows a high threat score:

 

 

The powershell script is used to download an executable from a delivery domain. An infection scenario that's shared among different malspam campaigns. Here is the process tree:

 

 

Here's the download session in NetWitness Logs and Packets:

 

 

Using the "View Files" option to get the checksum of the downloaded file:

 

 

This report from hybrid-analysis.com suggests it is a Hawkeye variant. The hunting pack registered the following meta for this download session indicating highly suspicious traffic:

 

 

The fact that the executable is recently compiled can also be noticed when submitting the file to What's This File service:

 

 

It is worth mentioning that this domain directlink[.]cz has been used to deliver different kinds of malware. Here is the activity in NetWitness Logs and Packets for this week:

 

 

While the directory remained the same, filenames varied from one download session to another:

 

 

 

Here is a list of some of the delivered payloads (SHA256):

 

edac9b3dfc1bb7c64159323d8768ace4858ad239daf00499b9c01358f6cdf2a8
f4d86b3ee2f474198956f982c97e801cb9dc82e886f0a733aaffc1910feff85c
2b8e82fbc69dcf059e38a85ab5fcd135b86707528e26068f6cf514b6b4df0353
1e1ba211402544a252ef52276dee0f2de1720870da50212e51835200c9f199e2
7e5525d85b0aea64bc257a36cacc107731948eca198b109e13ca3c26cc630c99
864b1ec7fb0608807a5624cc84029a5c4cde15da111e7e846c993eab8e590091
0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb
d156b5fa4ee0dad4d7971812bd7bf0171af0df6528c84bb4bfc3e97ea3b69e78

 

This delivery domain was added to RSA FirstWatch Command and Control Domains on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'


Further reading:

1. How I Cracked a Keylogger and Ended Up in Someone's Inbox 

2. Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs - Security News - Trend Micro… 

3. The “HawkEye” attack: how cybercrooks target small businesses for big money – Naked Security 

Outcomes