Security researchers have discovered a new malspam campaign involving HawkEye Keylogger targeting business users.
The new campaign was spotted security experts at IBM X-Force in April and May 2019 leveraging new variants of HawkEye Keylogger named HawkEyeReborn v8.0 and v9.0.
The HawkEye is designed to monitor and steal information from affected devices. In addition, it can also download additional malware to infected machines.
“HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors.”
According to Trend Micro, this stolen information can be later used for separate attacks such as “account takeovers or business email compromise (BEC) scams”.
The keyloggers are delivered via malspam campaigns. The messages are disguised as a fake email sent from a large bank in Spain or from legitimate companies or financial institutions.
The researchers noted that “infection process is based on a number of executable files that leverage malicious PowerShell scripts.”
The IP addresses showed the malspam campaign originated from Estonia and targets users all around the globe.
The industries targeted in the campaign were transportation and logistics, healthcare, import and export, marketing, agriculture and others.
“A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets. It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns.”
For more technical details and IoCs visit the analysis report published by IBM X-Force here.
You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows