{"id":9801,"date":"2024-11-13T10:54:29","date_gmt":"2024-11-13T10:54:29","guid":{"rendered":"\/cybersecurity-blog\/?p=9801"},"modified":"2024-11-18T08:29:41","modified_gmt":"2024-11-18T08:29:41","slug":"hawkeye-malware-technical-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/hawkeye-malware-technical-analysis\/","title":{"rendered":"HawkEye Malware: Technical Analysis"},"content":{"rendered":"\n

Editor\u2019s note: The current article is authored by the threat researcher Aaron Jornet Sales, also known as RexorVc0. You can find him on\u00a0X<\/a><\/em> and LinkedIn<\/a>.<\/em>\u00a0<\/p>\n\n\n\n

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger<\/a>, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers<\/a>.<\/p>\n\n\n\n

History of HawkEye<\/h2>\n\n\n\n

HawkEye emerged before 2010, with records of its use and sale dating back to 2008, making it quite long-lived. After several spearphishing<\/a> campaigns in which this well-known malware was attached, it gained significant popularity starting in 2013.<\/p>\n\n\n\n

This keylogger has been available on various dark web sites, even having dedicated websites where the tool was sold. However, this keylogger has been cracked for years and used by different actors without going through the subscription method imposed by its creators, whose price ranged between $20 and $50. This has contributed to its continued notoriety, and it has been used not only by criminal actors but also by script kiddies due to its ease of use.<\/p>\n\n\n\n

Although it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence during the COVID period. During this time, certain actors took advantage of the general hysteria to obtain company data through phishing campaigns. <\/p>\n\n\n\n

Additionally, HawkEye has been used in conjunction with other loaders and\/or malware that invoked this keylogger. Over its long trajectory, various actors and malware have been involved in attacks on companies, some of which include Galleon Gold, Mikroceen, iSPY crypter related with Gold Skyline, Remcos<\/a> used on campaigns with HawkEye, Pony<\/a> used on campaigns with HawkEye, etc.<\/p>\n\n\n\n

Technical Analysis<\/strong><\/h2>\n\n\n\n

The method of HawkEye\u2019s delivery has varied throughout its history, as have the types of sources behind the attacks. Nevertheless, it has been primarily involved in spearphishing campaigns, where attackers devised convincing scenarios to trick victims into downloading the malicious file, which could be a document, compressed file, or another malware acting as a loader for the keylogger.<\/p>\n\n\n\n

It has also been used to target websites of portals typically accessed by companies, which were the main targets of the attacking groups. Another common method of spreading HawkEye was through “free” software, which turned out to be malware in disguise.<\/p>\n\n\n\n

HawkEye’s delivery methods are quite diverse compared to other malware. However, its execution and behavior have remained relatively consistent over the years. A behavior graph of what has been observed in recent months would look as follows:<\/p>\n\n\n

\n
\"\"
HawkEye graph<\/em><\/figcaption><\/figure><\/div>\n\n\n

During the analysis process, I typically spend weeks, even months, collecting samples to understand how they function as a whole based on the existing variants. Therefore, we may observe variations among those presented. In most executions, we encounter enormous trees of processes based on their activities. <\/p>\n\n\n\n

To simplify, as you’ve seen in the previous graph, it’s not as complex compared to other stealers or RATs<\/a>. It generally consists of an executable that drops others in temporary paths, then injects code into one of them or into a .NET-related software. Later, in memory, it gathers all possible data and sends it to a C&C.<\/p>\n\n\n

\n
\"\"
ProcDOT detonation chart<\/em><\/figcaption><\/figure><\/div>\n\n\n

Going straight to the point, in an initial execution of one of the samples I analyzed, we see a rather extensive process\u2014a succession of execution copies launched in temporary paths.<\/p>\n\n\n

\n
\"\"
Process Tree execution<\/em> (Image 1)<\/figcaption><\/figure><\/div>\n\n
\n
\"\"
Process Tree execution<\/em> (Image 2)<\/figcaption><\/figure><\/div>\n\n\n

In this instance, they used the Roaming\\Templates path, but this is highly variable depending on who created it. Generally speaking, they tend to abuse paths like AppData\\Roaming and AppData\\Temp, which are classic choices.<\/p>\n\n\n

\n
\"\"
Paths commonly abused <\/em>(Image 1)<\/figcaption><\/figure><\/div>\n\n
\n
\"\"
Paths commonly abused <\/em>(Image 2)<\/figcaption><\/figure><\/div>\n\n
\n
\"\"
Paths commonly abused <\/em>(Image 3)<\/figcaption><\/figure><\/div>\n\n\n

Here\u2019s the list of paths observed for dropping files:<\/p>\n\n\n\n