A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would pique user interests, with the “Subject” line typically containing something about recent news. Although HawkEye malware has several different capabilities, it is most often associated with credential theft.
In the middle of June, we observed a phishing campaign involving the distribution HawkEye malware. The threat actors behind this campaign are not targeting any specific group of industries or any specific region.
Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign. The message is designed to entice recipients to open the attachment. In this most recent campaign, the phishing email contained a DOCX attachment, and the attackers named the document appropriately so the recipient believed it involved a recent transaction or invoice.
Figure 1: Sample phishing email
As seen in Figure 2, the deployment of the malware has several stages of execution, including the following:
Figure 2: Infection Vector and Execution
In the observed campaign, the actors used an embedded OLE object to deliver the payload to the victim’s machine. The malicious payload, HawkEye, is embedded in the DOCX file and dropped in the %temp% folder after the victim double-clicks on the object (Figure 3).
Figure 3: Embedded OLE Object
The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications. These additional tools are contained in an encrypted resource section of the binary.
The HawkEye malware is capable of the following:
After initial checks and system enumeration, HawkEye sends the following data to the command and control (C2) server:
Along with its ability to steal sensitive information, HawkEye is capable of spreading through USB or removeable drives and can also steal Bitcoin wallets, as seen in Figure 4.
Figure 4 : USB spreading and Bitcoin Stealing
The HawkEye malware in this campaign contained encrypted resources sections, which add functionality that enables the attackers to exfiltrate more data. FireEye observed the same pattern in previous HawkEye campaigns. The encrypted data is decrypted at run time and then injected in to the target process, vbc.exe. The encryption logic used is a custom algorithm and varies with the campaign. Figure 5 shows an example of the custom encryption algorithm.
Figure 5: Custom decryption routine
After decrypting the resource section, the following files can be extracted:
Figure 6: Components of malware
The payload uses the Windows task scheduling feature for its persistance mechanism on the victim’s computer. It schedules a task to execute on user login. The configuration data shown in Figure 7 is used to schedule the task.
Figure 7: Task Scheduler.xml
CMemoryExecute.dll is responsible for running a .NET executable capable of using the Windows Native API to inject MailPV.exe and WebBrowserPassView.dll into VBC.exe, which the Visual Basic Command Line Compiler. MailPV and WebBrowserPassView are used in order to extract credentials from the list of email and web browser clients noted in the following section.
WebBrowserPassView.dll, extracted from the resource section, is a password recovery tool that extracts passwords stored in the following web browsers:
The extracted passwords are stored in a created text file: “%temp%\holderwb.txt”
The MailPV.exe file is password recovery tool that extracts password for following email clients:
The extracted passwords are stored in a created text file: “%temp%\holdermail.txt”
The first C2 traffic observed is the malware’s check to get the external IP address of the infected machine. Figure 8 shows an example of the external IP address query.
Figure 8 : External IP Address Query
As noted, the malware sends gathered system information and security program data to the C2 server after the external IP address is known. HawkEye can be configured to send this information through multiple methods, including via email or FTP.
In addition to the system data, the malware will upload any collected credentials from email and web browser applications. To do this, the malware will validate that holdermail.txt and holderweb.txt exist and send the data to the C2 server. After the data is exfiltrated, the TXT files are deleted from the victim’s machine.
In this campaign, the HawkEye payload was configured to upload the data via email. Once the extracted data is received by the C2 server, the server sends emails to the threat actors behind the campaign to notify them that new stolen information is available. Figure 9 shows some of the email templates used in this campaign and Figure 10 shows the SMTP traffic on the network.
Figure 9: Email notification to HawkEye Customers
Figure 10: SMTP Handshake
HawkEye is a versatile Trojan used by diverse actors for multiple purposes. The malware has been sold through a public-facing website, which has allowed many different operators to use it. As is often the case with commercial Trojans, HawkEye offers a variety of functions for stealing stored data, grabbing form data, self-spreading, and performing other functions. Consequently, HawkEye may facilitate a number of different exploitative operations in compromised environments, and can be used by actors with a wide range of motivations. We have seen different HawkEye campaigns infecting organizations across many sectors globally, and stealing user credentials for diverse online services. This particular campaign represents one segment of the numerous HawkEye activity sets.
Some notable threat operations where we have previously reported HawkEye use include business email compromise campaigns, phishing against Middle Eastern organizations, and prolific spam operations (get an iSIGHT intelligence subscription to learn more about these campaigns).
Based on previous observations, the phishing and lure techniques used in these recent HawkEye campaigns have remained consistent, as have the HawkEye binaries and associated payloads. However, the attackers have altered the initial delivery method to use an embedded OLE object, as opposed to past methods such as a macro embedded in a Word document. The threat landscape is continiously evolving, and we expect to see more new tricks and tactics being used by the actors using this malware family.
FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat.
Special thanks to John Miller and Nart Villeneuve for their contributions to this blog.