Hawkeye

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Type
Keylogger
Origin
Unknown
First seen
1 January, 2013
Last seen
16 April, 2021
Also known as
Predator Pain
HawkEye Reborn
Global rank
8
Week rank
21
Month rank
25
IOCs
2909

What is Hawkeye malware?

Hawkeye, also known as Predator Pain is a dangerous trojan and keylogger - a malware used to steal information from PCs. It has very advanced detection evasion and information stealing functionality. Hawkeye can be combined with other malicious software to steal passwords from email clients and web browsers.

Available as a service on the dark web, Hawkeye can be used even by non-technically savvy attackers. In addition, this malware is known to have been advertised for some time in the general internet on its own website which today is unavailable. What’s more, creators of Hawkeye have developed a unique business model in which intermediaries are used for reselling the malware.

General description of Hawkeye

Hawkeye keylogger is capable of stealing a variety of information from the victim's PC, including passwords from mail clients and web browsers and bitcoin wallet information. Furthermore, this malware can take screenshots, has a keylogger functionality and can retrieve data from Internet download manager as employ JDownloader to steal passwords.

Predator Pain targets victims worldwide, but it’s attacks are being registered most often in the countries with the wealthiest economies according to the GPD data, such as the USA, Canda, Italy, and others.

Hawkeye keylogger employs a sophisticated technique to stay hidden from the antiviruses called process hollowing. In essence, the Trojan generates a new instance of a harmless process to subsequently swap the native code with a malicious one. The 8 version of Hawkeye keylogger is different from previous iterations of the malware in that instead of running the main malicious code as new process, the latest build injects the payload into MSBuild.exe, RegAsm.exe, and VBC.exe, which are a part of the .NET framework, enabling the virus to further disguises itself as a real and harmless process.

Another difference of the newest Predator Pain version from the older ones is that instead of being written in C, it now uses .NET and calls the native Windows API directly.

The primary function of Hawkeye keylogger is to record the key and mouse presses along with window context and clipboard data. In addition, the malware has special modules that allow it to derive information from certain applications, including a popular video game Minecraft, the FTP client FileZilla and others.

Somewhat standardly, Predator Pain utilizes real BrowserPassView and MailPassView tools to save data from browsers and emails. In addition, the malware is able to activate and take control of the webcam, if the infected machine has one connected.

To prevent detection and analysis, Hawkeye comes equipped with a series of anti-evasion tools besides processes hollowing. For instance, the malware is able to set a delay before being executed which helps it trick some of the automated sandbox analysis tools. It also comes equipped with a technique that targets specific antivirus processes and stops them from executing and blocks access to several domains used by antivirus programs for updating.

What’s more, the malware takes active steps to prevent the victim from disabling its own processes by taking control over command prompt, registry editor, and task manager. At the same time, Hawkeye constantly scans the computer for other malicious programs and instantly deletes them, if found.

Hawkeye keylogger malware analysis

The execution process of the Predator Pain keylogger can be reviewed in a lot of detail in a video recorded in the ANY.RUN malware hunting service

hawkeye execution process graph

Figure 1. a visual process graph generated by ANY.RUN allows to quickly review the lifecycle of the Hawkeye

text report of the hawkeye malware analysis

Figure 2. ANY.RUN also allows researchers to generate customizable text reports which are a great way to present the analysis results

Hawkeye execution process

hawkeye execution process tree

Figure 3. Execution processes of Hawkeye as displayed by the ANY.RUN malware hunting service

Hawkeye keylogger usually reaches users' devices through phishing emails, most commonly as a malicious Microsoft Office file, such as Docx file. After the user opens the downloaded file it either asks the user to enable macros or uses vulnerabilities to download and execute the main payload. In most cases, it downloads itself into the %AppData% folder. To maintain its presence, the malware adds itself to the autorun registry. It also uses process hollowing to hide its code in legitimate processes. The 8 version of Hawkeye, which is presented in the video from our simulation, injects itself either into MSBuild.exe, RegAsm.exe, or VBC.exe. Before sending information to the control server, Hawkeye saves stolen data in Tmp files which are placed into the %Temp% folder. Usually, these Tmp files are deleted after the information is sent to a control server.

stolen by hawkeye data saved in tmp file

Figure 4. Information saved in .TMP file

How to avoid infection by Hawkeye?

Following some common online hygiene guidelines is a good way to stay safe from getting infected with Hawkeye. Users should be careful when downloading free software from unknown or suspicious websites and carefully check the URLs when downloading any software in general.

In addition, after receiving a suspicious email or an email from an unidentified sender, users should be very careful when downloading attachments. If when opened, the document prompts the user to enable macros or activate the editing, users must never follow these instructions as they most likely indicate the malicious nature of the file.

Distribution of Hawkeye

Hawkeye trojan uses multiple distribution methods including packaging within free downloadable programs or being disguised as legitimate software. Hawkeye can also be installed on the victim’s PC manually if the attacker gains either remote or physical access to the machine.

However, the most commonly used distribution method is email phishing, where the malware is distributed as a malicious attachment, usually a Microsoft Word document. Known phishing campaigns usually revolve around notifications regarding an issue with a real product, quotation requests, payment orders or random or personal, disturbing topics that were aimed at tricking the victim to download the attachment.

In most cases, the Microsoft Office opens the document with a warning and Hawkeye displays a message prompting to enable editing, which the user must interact with in order for the trojan to start the execution process. In some other cases hower, the malware uses Microsoft Office exploits, allowing Hawkeye to start the execution without any user interaction.

How to detect Hawkeye using ANY.RUN?

This malware creates files that allow to analysts say for sure that this is Hawkeye. Click on the malicious process in the process tree and then click "More info" button. On the upper-right corner of the "Events" panel switch from "Friendly" to "Raw". Now you see all operations with files that were performed by a chosen process. Often this malware family tries to create files with "Reborn" in their names and based on that type of that you can determine that it is Hawkeye.

files created by hawkeye Figure 5: Files created by Hawkeye

Conclusion

Carrying extremely advanced anti-evasion techniques and robust info-stealing functionality, Hawkeye presents a serious danger to corporations and individuals all around the globe. Unfortunately, the distribution of malware as a service allows even non-technically savvy cybercriminals to set up effective attack campaigns, contributing to the overall popularity of the virus.

Furthermore, Hawkeye trojan uses a set of special techniques to complicate the analysis and in particular – trick automated analysis services and complicating the development of countermeasures.

However, interactive analysis services like ANY.RUN gives researchers the ability to examine malware even as elusive as Hawkeye is and conduct effective studies.

IOCs

IP addresses
66.171.248.178
104.16.154.36
50.87.253.146
116.206.105.72
95.130.175.151
104.16.155.36
160.153.129.236
67.225.129.56
198.54.125.159
111.118.215.253
103.21.59.28
192.99.81.95
198.54.115.43
85.17.187.29
67.20.76.74
207.174.213.181
198.187.29.26
204.11.58.87
145.14.144.20
23.94.30.178
Hashes
4868ee2b1bdc6d562d5599d18d3b7ead7dd8be80d9fd0533657526c29a56afc2
1a2a67b07747e13a9cfa7e1821fa8a3fcd6e6ea136cf45a98bd66869c951e662
1555c5bce1615eeb1363d1382ccb9ea0e37592a969f24f5554aea59b03892d75
481abcc69af1c2b881a25a39f154804f3ac7319afe3aa011ed7c12731094f79c
f2b8198c9038477312741f08da646f8e65493bced863c604516132e51ae89db0
84f1c87099ed4a41a6f6d376bc89ae81f5d21779b8cff817656a2df9fe4f7a69
60ac7b21a17ba4541663200c8f834f3463dc35c0edbb0954f89c11891c485ed0
92dfecd6af8585dbad00f24630a77fe40ca5ff91d35c29f946fc8d28d22aaa25
efc62fc184d00e7da6411e53a3a3e383173752b47dc8aac49180610ba04522f1
3e23809c8f13fb823831bde5d531b635f25215d80694872ac0fc0fe32fccf34a
dcb7d0214c7253a6acfe023f50e9bdf6f7586e15935037ef85f93024fa1115d5
f8065278001b9ac6c296fbd3dac4146bc1da3c1fe75465b9289591b4303b22bc
4ab07c880e693d17cb73d88f44a92c68ddabdc23c824470dd9a1f02870f3acd1
94441a43561f444dfcad2b50332e6c9686f44225a950d63cface687955351b51
011d3abba8936cabc898bb289fc8457b7b4d63f093566777f65b4891bf4fae8b
9f9ca9b4f57863557a46e6125e8cd5caf4f79760981729af7992275c75210b99
016e75455b94dc464543d559cddb3f997bd163a788d97659ef4b391a2c69bbe2
e8107c2899dbe1bda257098d3ec2a561babb52d7d201a43fd3f3a8580cab728f
b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88
9e5d44dc89c666ad2d8870031536e56be14ac49afc7d3a2fca4f0be55cf8cd7e
Domains
majul.com
www.hyssnauae.com
e8960.b.akamaiedge.net
files.000webhost.com
elx01.knas.systems
smtp.bioaccentonline.us
ftp.testproeg.com
smtp.jpoco.net
smtp.erneralduae.com
smtp.taiemerica.com
smtp.blackpyramid.xyz
smtp.brandenburggruppe-de.com
smtp.solartorbines.com
smtp.iklea-res.com
smtp.ibtbrussel.eu
smtp.elittacop.com
smtp.cpmindia.co.in
smtp.greenhornechem.com
smtp.auroraallimentos-br.com
smtp.xideshengs.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More