HawkEye Malware Continues to Threaten Organizations with Advanced Evasion
Threat Group: Various Cybercriminal Actors
Threat Type: Information-Stealing Malware
Exploited Vulnerabilities: Primarily delivered via phishing emails and "free" software disguised as malware; also targets vulnerabilities in Microsoft Office to execute malicious code.
Malware Used: HawkEye, also known as PredatorPain
Threat Score: High (8.5/10) — Given its long history, resilience, and extensive functionality as both a keylogger and information stealer.
Last Threat Observation: November 2024.
Overview
HawkEye, also known as PredatorPain, is a versatile information-stealing malware that functions as both a keylogger and credential stealer. First appearing around 2008 and gaining prominence in 2013, HawkEye has continued to evolve, making it one of the most persistent malware in circulation. Distributed through phishing campaigns and cracked versions of "free" software, HawkEye targets industries globally, including financial, healthcare, and tech sectors. ANY.RUN’s latest analysis reveals updated attack patterns, including process injection and enhanced obfuscation techniques.
Key Details
- Delivery Method: Spearphishing campaigns, disguised "free" software, and compromised business portals.
- Target: Companies and individuals, particularly in finance, healthcare, and technology.
- Functions:
- Keylogging for capturing keystrokes and clipboard data
- Credential theft from email clients, browsers, and FTP clients
- Screenshot capture
- Cryptocurrency wallet theft
- Security software detection and analysis tool evasion
- Obfuscation: Uses XOR + Poly for data encoding, ConfuserEx for process injection, and frequent relocation of files in hidden directories.
Attack Vectors
HawkEye is mainly distributed through phishing emails or software disguised as legitimate applications. Upon execution, it drops multiple copies of itself in directories like AppData and Temp. It frequently uses process hollowing, injecting malicious code into legitimate applications (e.g., vbc.exe) and maintains persistence by creating scheduled tasks or registry keys. HawkEye's modular design enables operators to configure each instance to prioritize certain functions, making it adaptable for various attack scenarios.
Known Indicators of Compromise (IoCs)
FileHash-MD5
0a2f6501a36c1b13532139e3c184310906916c9505da82f63a73768c6f33619225a2d98dfcf6a12ea6459882c56aa2e038a3cb547a0a19a61534792f572f08b060fabd1a2509b59831876d5e2aa71a6bdea59d578e0e64728780fb67dde7d96de651dca5c850451cdba7f25cbb4134e7
FileHash-SHA1
53695f3d912a2a8e3a86791f53e770a0d442fde78b91f3c4f721cb04cc4974fc91056f397ae78faac64ac61ff03d7947979029345b87b88894585dfec7c0d3dadfe99b509c83c90c525fa12077f5583b
FileHash-SHA256
890dbc0b99a385173acf639cf13a47544d4041f11ddc0f4df199db6daab9fa861dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838ac593f34df2916b3bcea81b7cfd70f28b4633b956717c2942294529ee3010c46bf20547c930c59781e3da99bfe835489d563d52c281716484e49b1a8384b49a4
Mitigation and Prevention
- User Awareness: Train users on recognizing phishing and avoiding suspicious software.
- Email Filtering: Enhance email scanning and filtering capabilities to detect and block phishing emails.
- Antivirus Protection: Use robust antivirus tools to detect HawkEye and its variants.
- Persistence Monitoring: Regularly check for unknown scheduled tasks or suspicious registry entries.
- Process Monitoring: Track unexpected injections or unusual parent-child process relationships.
- Network Controls: Restrict outbound FTP, HTTP, and SMTP, commonly used by HawkEye for exfiltration.
Conclusion
HawkEye's adaptability and ability to evade detection make it a formidable information-stealing malware. Given its persistence, comprehensive features, and low barrier for entry (accessible to inexperienced cyber actors), organizations must adopt advanced detection methods and enhance user awareness to mitigate risks.
Sources:
- AlienVaul, "HawkEye Malware IoCs"
- ANY.RUN's Cybersecurity Blog, "HawkEye Malware: Technical Analysis,"