Malspam activity was noted this week delivering Hawkeye to infected machines. Hawkeye is a commodity keylogger that can be used to steal a victim sensitive information. This threat advisory will discuss its delivery mechanism and will show how the traffic looks in NetWitness Logs and Packets.
The powershell script is used to download an executable from a delivery domain. An infection scenario that's shared among different malspam campaigns. Here is the process tree:
Here's the download session in NetWitness Logs and Packets:
Using the "View Files" option to get the checksum of the downloaded file:
This report from hybrid-analysis.com suggests it is a Hawkeye variant. The hunting pack registered the following meta for this download session indicating highly suspicious traffic:
The fact that the executable is recently compiled can also be noticed when submitting the file to What's This File service:
It is worth mentioning that this domain directlink[.]cz has been used to deliver different kinds of malware. Here is the activity in NetWitness Logs and Packets for this week:
While the directory remained the same, filenames varied from one download session to another:
Here is a list of some of the delivered payloads (SHA256):
This delivery domain was added to RSA FirstWatch Command and Control Domains on Live with the following meta values:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.