Spam Campaigns Found Targeting Businesses With HawkEye Reborn Keylogger Malware

HawkEye Reborn v8.0 and v9.0, the latest iterations of the old but notorious keylogging malware, were spotted in spam campaigns targeting business users. IBM X-Force researchers reported spam campaigns that used the keylogging malware variants to steal account credentials and sensitive data, which could be leveraged later on for separate attacks such as account takeovers or business email compromise (BEC) scams. Apart from stealing the abovementioned information, it can also download additional malware variants to infected machines.

Similar campaigns have been observed by Trend Micro in the past. In an in-depth research, Trend Micro researchers discovered that operators used the keylogging malware to search for bigger targets by gathering more information about their victim’s business contacts, affiliates, and partners to launch scams. The scheme required monitoring compromised business emails and hijacking transactions by providing alternative payment details, routing the payments straight to fraudulent accounts set up by the operators.

Socially engineered and malware-ridden emails used to prey on businesses

The IBM X-Force researchers spotted the campaigns that deployed HawkEye Reborn v8.0 and v9.0 in April and May 2019. In their analysis, they noted that the operators focused on sending malware-ridden emails to businesses from industries such as transportation and logistics, import and export, marketing, agriculture, and healthcare. Emails that carried the latest iterations of the keylogging malware posed as emails from legitimate organizations.

The campaign that deployed HawkEye Reborn v8.0 specifically spoofed a large bank in Spain. Analysis of a sample for that campaign showed that the content of the email body tries to lure the recipient into opening a malicious attachment named MT103_Swift Copy_TT20180226 pdf.png.zip. The file attachment is a .lnk file that was originally converted from PDF format, and then to PNG, before finally being converted into LNK. In contrast, the HawkEye Reborn v9.0 emails had the payload disguised in a direct macro-on-open Excel file.

The HawkEye Reborn v9.0-carrying emails were received by users in Spain, the United States, and the United Arab Emirates while the v8.0 samples were specific to Spain. Interestingly, the IP addresses where the emails originated from were different but in the same class C network: v8.0 was traced to IP addresses from Estonia, v9.0 from Estonia, France and India.

[Read: Trend Micro Cloud App Security Report 2018: Advanced Defenses for Advanced Email Threats]

Machine learning-powered security solutions for advanced email threats

The resurgence of HawkEye, which is carried out via email, should remind business users to practice good emailing habits. For starters, organizations should inform employees of ways to stay protected from email threats so no security holes can be opened for cybercriminals to exploit.

Organizations can also look into using the Trend Micro Cloud App Security™ solution, an additional email security layer that can be integrated into existing email gateways. Cloud App Security uses machine learning to detect advanced malware variants hidden in Office 365 or PDF documents. Artificial intelligence (AI) and computer vision technology are also used to prevent account takeover attacks by helping detect and block credential phishing schemes, for example, fake login pages that impersonate popular brands. Meanwhile, Writing Style DNA is a technology that helps detect email impersonation tactics used in BEC and similar scams by using machine learning to recognize the DNA of a user’s writing style based on past emails.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.