Rewterz Threat Alert – HawkEye Infostealer – Active IOCs

Severity

Medium

Analysis Summary

HawKeye, also known as Predator Pain, has been distributed since 2013. HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. It has advanced sophisticated information theft and detection evasion capabilities. Like ransomware, Hawkeye keylogger has the ability to collect a variety of data from the victim’s PC, including passwords for online browsers, email clients, and bitcoin wallets. This malware can capture screenshots, act as a keylogger, and extract data from Internet download managers in order to use JDownloader to steal credentials.

Previously, a spear-phishing campaign was detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.

Impact

• Information Theft
• Credential Theft
• Antivirus Bypass

Indicators of Compromise

MD5

b02a8e41db955c8c052dc7f454404ab0
9a3f6073139b203aa64c3b4504e7ba16
299036d93b4352483b7d6f9ea74f09d6
f1736063cde8d800c2df60dd2ae32b28

SHA-256

87ff9d9612267c284b867bd9d4a85224d3bf1c4d8070b3eb6541ef7c6b62c3ad
5975ea85d339a31e8d9b5b1eced0d699c1d59d980896f1332d1e08497f005e21
92eeea68a958e1a8e597abb4a3dd6047241b66324f16d30a9840699bbaf2d62c
beb927e2c2c93bd7af86e0290f6f30a66586275af924cd4f617f87003ab33743

SHA-1

69b02ae3a3b974a40d8948a180bf1d57b9076c99
9a1bba6122bf5f86413949df1afff9cf053ec13f
6f174942ebb29576f0d4783ca47d4efe578808f7
4d4eddc960027a30cdbd5b6c7cf6b43cb931f084

Remediation

• Block all threat indicators at your respective controls. 
• Search for IOCs in your environment.