Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file [1], once downloaded, it masquerades its icon as a PDF. 

Upon execution, Hawkeye makes an API call to whatismyipaddress[.]com to obtain the public IP address of the victim’s machine.

Hawkeye steals email credentials and browser data, then exfiltrates it by emailing it to the threat actor, alexandernegri101[at]zoho[dot]com, as seen below in screen captures of a memory dump and of network traffic.

To ice the cake, Hawkeye searches for attached USB drives and replicates itself as Sys.exe, creating an autorun.inf file on the infected device. The file autorun.inf instructs the computer to automatically launch a program.  The screen capture below from memory shows how the malware spread to a USB drive.

Recommendation:

PhishMe® cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain the content described above.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

[1]                 Name: quote.exe

MD5 hash value: 130efba199b389ab71a374bf95be2304

Ribbon Cutting – Running Macros with CustomUI Elements
Karo Ransomware Raises Stakes for Victims by Threatening to Disclose Private Information

Leave a Reply