Hawkeye

Hawkeye, also known as Predator Pain is a dangerous trojan and keylogger - a malware used to steal information from PCs. It has very advanced detection evasion and information stealing functionality. Hawkeye can be combined with other malicious software to steal passwords from email clients and web browsers.

  • Type
    Keylogger
  • Origin
    Unknown
  • First seen
    1 January, 2013
  • Last seen
    21 November, 2019
Also known as
Predator Pain
Global rank
7
Week rank
5
Month rank
7
IOCs
1145

What is Hawkeye malware?

Hawkeye, also known as Predator Pain is a dangerous trojan and keylogger - a malware used to steal information from PCs. It has very advanced detection evasion and information stealing functionality. Hawkeye can be combined with other malicious software to steal passwords from email clients and web browsers.

Available as a service on the dark web, Hawkeye can be used even by non-technically savvy attackers. In addition, this malware is known to have been advertised for some time in the general internet on its own website which today is unavailable. What’s more, creators of Hawkeye have developed a unique business model in which intermediaries are used for reselling the malware.

General description of Hawkeye

Hawkeye keylogger is capable of stealing a variety of information from the victim's PC, including passwords from mail clients and web browsers and bitcoin wallet information. Furthermore, this malware can take screenshots, has a keylogger functionality and can retrieve data from Internet download manager as employ JDownloader to steal passwords.

Predator Pain targets victims worldwide, but it’s attacks are being registered most often in the countries with the wealthiest economies according to the GPD data, such as the USA, Canda, Italy, and others.

Hawkeye employs a sophisticated technique to stay hidden from the antiviruses called process hollowing. In essence, the Trojan generates a new instance of a harmless process to subsequently swap the native code with a malicious one. The 8 version of Hawkeye keylogger is different from previous iterations of the malware in that instead of running the main malicious code as new process, the latest build injects the payload into MSBuild.exe, RegAsm.exe, and VBC.exe, which are a part of the .NET framework, enabling the virus to further disguises itself as a real and harmless process.

Another difference of the newest Predator Pain version from the older ones is that instead of being written in C, it now uses .NET and calls the native Windows API directly.

The primary function of Hawkeye is to record the key and mouse presses along with window context and clipboard data. In addition, the malware has special modules that allow it to derive information from certain applications, including a popular video game Minecraft, the FTP client FileZilla and others.

Somewhat standardly, Predator Pain utilizes real BrowserPassView and MailPassView tools to save data from browsers and emails. In addition, the malware is able to activate and take control of the webcam, if the infected machine has one connected.

To prevent detection and analysis, Hawkeye comes equipped with a series of anti-evasion tools besides processes hollowing. For instance, the malware is able to set a delay before being executed which helps it trick some of the automated sandbox analysis tools. It also comes equipped with a technique which targets specific antivirus processes and stops them from executing and blocks access to several domains used by antivirus programs for updating.

What’s more, the malware takes active steps to prevent the victim from disabling its own processes by taking control over command prompt, registry editor, and task manager. At the same time, Hawkeye constantly scans the computer for other malicious programs and instantly deletes them, if found.

Hawkeye malware analysis

The execution process of the Predator Pain keylogger can be reviewed in a lot of detail in a video recorded in the ANY.RUN malware hunting service

hawkeye execution process graph

Figure 1. a visual process graph generated by ANY.RUN allows to quickly review the lifecycle of the Hawkeye

text report of the hawkeye malware analysis

Figure 2. ANY.RUN also allows researchers to generate customizable text reports which are a great way to present the analysis results

Hawkeye execution process

hawkeye execution process tree

Figure 3. Execution processes of Hawkeye as displayed by the ANY.RUN malware hunting service

Hawkeye keylogger usually reaches users' devices through phishing emails, most commonly as a malicious Microsoft Office file, such as Docx file. After the user opens the downloaded file it either asks the user to enable macros or uses vulnerabilities to download and execute the main payload. In most cases, it downloads itself into the %AppData% folder. To maintain its presence, the malware adds itself to the autorun registry. It also uses process hollowing to hide its code in legitimate processes. The 8 version of Hawkeye, which is presented in the video from our simulation, injects itself either into MSBuild.exe, RegAsm.exe, or VBC.exe. Before sending information to the control server, Hawkeye saves stolen data in Tmp files which are placed into the %Temp% folder. Usually, these Tmp files are deleted after the information is sent to a control server.

stolen by hawkeye data saved in tmp file

Figure 4. Information saved in .TMP file

How to avoid infection by Hawkeye?

Following some common online hygiene guidelines is a good way to stay safe from getting infected with Hawkeye. Users should be careful when downloading free software from unknown or suspicious websites and carefully check the URLs when downloading any software in general.

In addition, after receiving a suspicious email or an email from an unidentified sender, users should be very careful when downloading attachments. If when opened, the document prompts the user to enable macros or activate the editing, users must never follow these instructions as they most likely indicate the malicious nature of the file.

Distribution of Hawkeye

Hawkeye uses multiple distribution methods including packaging within free downloadable programs or being disguised as legitimate software. Hawkeye can also be installed to the victim’s PC manually if the attacker gains either remote or physical access to the machine.

However, the most commonly used distribution method is email phishing, where the malware is distributed as a malicious attachment, usually a Microsoft Word document. Known phishing campaigns usually revolve around notifications regarding an issue with a real product, quotation requests, payment orders or random or personal, disturbing topics which were aimed at tricking the victim to download the attachment.

In most cases, the Microsoft Office opens the document with a warning and Hawkeye displays a message prompting to enable editing, which the user must interact with in order for the trojan to start the execution process. In some other cases hower, the malware uses Microsoft Office exploits, allowing Hawkeye to start the execution without any user interaction.

How to detect Hawkeye using ANY.RUN?

This malware creates files which allow to analysts say for sure that this is Hawkeye. Click on the malicious process in the process tree and then click "More info" button. On the upper-right corner of the "Events" panel switch from "Friendly" to "Raw". Now you see all operations with files that were performed by a chosen process. Often this malware family creates files with "Reborn" in their names and based on that you can determine that it is Hawkeye.

files created by hawkeye Figure 5: Files created by Hawkeye

Conclusion

Carrying extremely advanced anti-evasion technique and robust info-stealing functionality, Hawkeye presents a serious danger to corporations and individuals all around the globe. Unfortunately, the distribution of malware as a service allows even non-technically savvy cybercriminals to set up effective attack campaigns, contributing to the overall popularity of the virus.

Furthermore, Hawkeye uses a set of special techniques to complicate the analysis and in particular – trick automated analysis services and complicating the development of countermeasures.

However, interactive analysis services like ANY.RUN give researchers the ability to examine malware even as elusive as Hawkeye is and conduct effective studies.

IOCs

IP addresses
104.16.154.36
104.16.155.36
46.21.144.100
66.171.248.178
149.202.94.225
162.210.70.9
103.21.59.28
204.11.58.87
192.185.57.219
199.79.63.218
85.17.187.29
198.54.125.159
103.21.58.156
50.116.64.41
162.241.148.33
209.99.16.42
188.241.39.220
93.89.226.136
103.6.198.17
199.79.63.211
Hashes
562a1e5449b951b84dd1e985669ccde7c99e3f002e0a54b070f0279278a781db
ffbc3fff648eed6f5b9e8fb17a6d35a72a432ce809d5a5e040c74a7bbac596f5
25bf2227dddb3489f3a98970c3353fb6359cbe5f7f7a0f59caefaf1c4b4ada54
60c66f578e2ff60057874ed98ae2977869469189d6c9d48d380b6c2bf33fc91f
706a6a075df862176a17cd0d6111425b05971e571cd327ce6a8bc0854a156a03
8e3b3179de7de6b96dc9712c54b283434478a30306edb58216a8aa7ae25ae68b
51842af882cbb5727fa8de9e87b9f876a3caa1761ed240386fe91e28fd3bfc6c
eba532c4daed9a290523495af5d1c5baebdd125e8899e85819f54debf7821855
7c83fbdc8c7108d705b5f0dba74d7d765dfac7e5311273e03cd2e21d48a1dd4d
8633a49ab9b388b91862ed1053d39a087b7a8e372751736f3f594b67555820a0
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
92e155d92acb22feec48fa2e316cdc9f9031627b66f8fae98075aef92abc6861
29fc63c40c257f95215bf9c5072c6e3ef4e4999193f8c786f8cc4981a0da2f0d
a648d22264ebc06dec3e6c6d6457635398de693a6fba392b0bcf865e44451841
49b97300ef5876903c2907267926d50670520830acf64e6c1245b691ea47ec4e
1423cc491f86bd0c291e605d8ccf3350e2b54f36e89a654a2cf25d7b85daceef
d18f79aa4164672499011ec81c2dd6b5ee32b1605ffb23c628de00e1e85933a2
0094509cb4e027ee068e5cd7092e942c3bec028cf8e2cca79e03bbdfbe6c59df
b74f1f7bab13efaf611afc58da45d90f9a3514322ef744e8cf8864784b6ca93a
5d754b8928df85b69e6f1c4a3e722aa26d6ae49d9ed0aa0e7b51f00e280afb9e
Domains
e8960.b.akamaiedge.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
smtp.juili-tw.com
elx01.knas.systems
server1.monovm.com
smtp.ibemakine.com
smtp.pbrend.com
smtp.ageatiainc.com
smtp.sresystems.co.in
smtp.pnauconvalves.com
smtp.datainreach.online
smtp.kinggroupworld.com
smtp.beksshlpping.com
smtp.stagaleather.com
smtp.lorenzobaroso.com
smtp.egest-eg.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More