HawkEye Keylogger Being Distributed via Spam Mails

HawkEye keylogger is an info-stealing malware that is mainly distributed via spam mails. Although AgentTesla, Formbook, and Lokibot are currently the most distributed info-stealing malware, HawkEye used to match these types of malware in terms of mass distribution until recently.

Despite the recent plummet in distribution, HawkEye malware has been maintaining a certain level of activity throughout this year. It is assumed that HawkEye mostly uses spam mail with attachment files as its distribution method,

and the following figures are spam mails sent to domestic users in February and March.

Spam mail found in February 2021
Spam mail found in March 2021

Even though the EML file is not collected, most of the filenames can be recognized as spam mail attachments due to how they were written.

– Payment_Advice_GLV225445686.exe
– POinv00393.exe
– 0M5389847667355_030420210000.PDF.exe
– K409476485-03032021B.pdf.exe
– x3984776490246720210313.PDF.exe
– s779800_02102021.PDF.exe

HawkEye targets not only the basic system information, but also account information such as credentials of web browsers, e-mail clients, etc. It also targets cryptocurrency wallet files and Minecraft account information files. One notable thing is that HawkEye mostly targets older versions of applications, and it may not operate properly in the applications updated to the latest version. The malware also has features of keylogging, cilpboard logging, and capturing screenshots.

HawkEye contains WebBrowserPassView and Mail PassView which are applications from NirSoft and uses each of them to steal account information saved in a web browser and extracts and shows account information saved in an e-mail client respectively. The figure below shows the application created in 2013, and the team speculates that the reason why this specific version is included is because the HawkEye itself was made in the past, at the time of the release of the software version.

Password recovery tool

NirSoft’s account information extraction tools previously provided ‘/stext’ command line option. Double-clicking WebBrowserPassView would show its GUI, but if the directory of the text file which will store the password recovered with the ‘/stext’ option was given, it could be used without having the user noticing the execution of the program, and eliminate the appearance of the GUI. HawkEye exploited this feature to use the existing utility without directly implementing the account information stealing routine. For you information, the latest version of the software stopped supporting the feature, and it may be because of the aforementioned case of exploitation.

HawkEye runs a normal process named vbc.exe without directly running WebBrowserPassView and Mail PassView, injects the tools into it, and runs them. The process tree below shows that when vbc.exe is executed and the account information extraction tool runs in the executable file, it saves credentials of a web browser as ‘holderwb.txt’ file, and account information of an e-mail client as ‘holdermail.txt’ file. It then reads the created text files and sends them to the C&C server.

Process tree confirmed via in-house RAPIT (Malware auto-analysis system)

As HawkEye is a malware that has been existing for a long time, its credential-stealing feature may not work on web browsers and other applications upgraded to the latest versions. This applies to the cases of WebBrowserPassView and Mail PassView above, in which the both software are 2013 versions, meaning that they may not operate properly in latest versions of web browsers and e-mail clients. Despite being old, HawkEye’s features such as keylogging, clipboard logging, and screenshot logging work regardless of the version, meaning that it can steal users’ information.

The malware supports 3 methods of sending stolen information to the attacker. The first is sending the information through SMTP, or e-mail, a method that is commonly used by AgentTesla and SnakeKeylogger. The other is uploading the file using FTP, and the last is using HTTP.

C&C URL decoding routine

The Snake Keylogger malware is distributed via spam e-mail, therefore when there’s a suspicious-looking email in the inbox, users must refrain from opening the attachment files within the e-mail. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
– Trojan/Win.Kryptik.R371540 ( 2021.03.12.02)

[Behavior Detection]
– Malware/MDP.Behavior.M3034
– Malware/MDP.Behavior.M3108

– 2c0ac98447900d73b389c073e6ed1067

SMTP server: smtp.yandex[.]ru
User: festus.vinco@yandex[.]ru
Pass: kingdomm***A12
FTP server: ftp.triplelink.co[.]th
User: Loggsszzzxxx@triplelink.co[.]th
Pass: xpe***0

Categories:Malware Information

Tagged as:,

5 1 vote
Article Rating
Inline Feedbacks
View all comments