Hawkeye

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Type
Keylogger
Origin
Unknown
First seen
1 January, 2013
Last seen
14 October, 2021
Also known as
Predator Pain
HawkEye Reborn
Global rank
12
Week rank
25
Month rank
25
IOCs
3104

What is Hawkeye malware?

Hawkeye, also known as Predator Pain, is a dangerous trojan and keylogger - a malware used to steal information from PCs. It has very advanced detection evasion and information stealing functionality. Hawkeye can be combined with other malicious software to steal passwords from email clients and web browsers.

Available as a service on the dark web, Hawkeye can be used even by non-technically savvy attackers. In addition, this malware is known to have been advertised for some time on the general Internet on its own website, which today is unavailable. What’s more, the creators of Hawkeye have developed a unique business model in which intermediaries are used for reselling the malware.

General description of Hawkeye

Hawkeye keylogger is capable of stealing a variety of information from the victim's PC, including passwords from mail clients, web browsers, and bitcoin wallet information, as ransomware does. Furthermore, this malware can take screenshots, have a keylogger functionality, and retrieve data from the Internet download manager to employ JDownloader to steal passwords.

Predator Pain targets victims worldwide, but its attacks are being registered most often in the countries with the wealthiest economies, according to the GPD data, such as the USA, Canada, Italy, and others.

Hawkeye keylogger employs a sophisticated technique to stay hidden from the antiviruses called process hollowing. In essence, the Trojan generates a new instance of a harmless process to swap the native code with a malicious one subsequently. The 8 version of Hawkeye keylogger is different from previous iterations of the malware. Instead of running the main malicious code as a new process, the latest build injects the payload into MSBuild.exe, RegAsm.exe, and VBC.exe, which are a part of the .NET framework, enabling the virus to further disguises itself as a real and harmless process.

Another difference between the newest Predator Pain version from the older ones is that instead of being written in C, now it uses .NET and calls the native Windows API directly.

The primary function of the Hawkeye keylogger is to record the key and mouse presses along with window context and clipboard data. In addition, the malware has special modules that allow it to derive information from certain applications, including a popular video game Minecraft, the FTP client FileZilla and others.

Somewhat standardly, Predator Pain utilizes real BrowserPassView and MailPassView tools to save data from browsers and emails. In addition, the malware is able to activate and take control of the webcam if the infected machine has one connected.

To prevent detection and analysis, Hawkeye comes equipped with a series of anti-evasion tools besides processes hollowing. For instance, the malware sets a delay before being executed, which helps it trick some of the automated sandbox analysis tools. It also comes equipped with a technique that targets specific antivirus processes and stops them from executing and blocks access to several domains used by antivirus programs for updating.

What’s more, the malware takes active steps to prevent the victim from disabling its own processes by taking control over command prompt, registry editor, and task manager. At the same time, Hawkeye constantly scans the computer for other malicious programs and instantly deletes them if found.

Hawkeye keylogger malware analysis

The execution process of the Predator Pain keylogger can be reviewed in a lot of detail in a video recorded in the ANY.RUN malware hunting service

hawkeye execution process graph

Figure 1. a visual process graph generated by ANY.RUN allows reviewing the lifecycle of the Hawkeye quickly

text report of the hawkeye malware analysis

Figure 2. ANY.RUN also allows researchers to generate customizable text reports which are a great way to present the analysis results

Hawkeye execution process

hawkeye execution process tree

Figure 3. Execution processes of Hawkeye as displayed by the ANY.RUN malware hunting service

Hawkeye keylogger usually reaches users' devices through phishing emails, most commonly as a malicious Microsoft Office file, such as Docx file. After the user opens the downloaded file, it either asks the user to enable macros or uses vulnerabilities to download and execute the main payload. In most cases, it downloads itself into the %AppData% folder. To maintain its presence, the malware adds itself to the autorun registry. It also uses process hollowing to hide its code in legitimate processes. For example, the 8 version of Hawkeye, presented in the video from our simulation, injects itself into MSBuild.exe, RegAsm.exe, or VBC.exe. Before sending information to the control server, Hawkeye saves stolen data in Tmp files into the %Temp% folder. Usually, these Tmp files are deleted after the information is sent to a control server.

stolen by hawkeye data saved in tmp file

Figure 4. Information saved in .TMP file

How to avoid infection by Hawkeye?

Following some common online hygiene guidelines is a good way to stay safe from getting infected with Hawkeye. In addition, users should be careful when downloading free software from unknown or suspicious websites and carefully check the URLs when downloading any software in general.

In addition, after receiving a suspicious email or an email from an unidentified sender, users should be cautious when downloading attachments. Although the opened document prompts the user to enable macros or activate the editing, users must never follow these instructions as they most likely indicate the file's malicious nature.

Distribution of Hawkeye

Hawkeye trojan uses multiple distribution methods, including packaging within free downloadable programs or disguised as legitimate software. Hawkeye can also be installed on the victim’s PC manually if the attacker gains remote or physical access to the machine.

However, the most commonly used distribution method is email phishing, the same as ransomware, where the malware is distributed as a malicious attachment, usually a Microsoft Word document. Known phishing campaigns usually revolve around notifications regarding an issue with a real product, quotation requests, payment orders, or random or personal, disturbing topics aimed at tricking the victim into downloading the attachment.

In most cases, the Microsoft Office opens the document with a warning, and Hawkeye displays a message prompting to enable editing. Thus, the user must interact with to make the trojan start the execution process. However, in some other cases, the malware uses Microsoft Office exploits, allowing Hawkeye to start the execution without any user interaction.

How to detect Hawkeye using ANY.RUN?

This malware creates files that allow analysts to say for sure that this is Hawkeye. First, click on the malicious process in the process tree and then click the "More info" button. Then on the upper-right corner of the "Events" panel, switch from "Friendly" to "Raw." Now you see all operations with files that were performed by a chosen process. Often, this malware family tries to create files with "Reborn" in their names. And based on that type, you can determine that it is Hawkeye.

files created by hawkeye Figure 5: Files created by Hawkeye

Conclusion

Carrying extremely advanced anti-evasion techniques and robust info-stealing functionality, Hawkeye presents a danger to corporations and individuals all around the globe. Unfortunately, the distribution of malware as a service allows even non-technically savvy cybercriminals to set up effective attack campaigns, contributing to the overall popularity of the virus.

Furthermore, Hawkeye trojan uses a set of special techniques to complicate the analysis and trick automated analysis services and confuse the development of countermeasures.

However, interactive analysis services like ANY.RUN gives researchers the ability to examine malware even as elusive as Hawkeye is and conduct effective studies.

IOCs

IP addresses
66.171.248.178
104.16.154.36
104.16.155.36
66.70.204.222
204.11.58.87
103.21.59.28
185.240.248.22
192.185.57.219
45.141.152.18
162.241.169.155
50.87.154.10
103.21.58.156
162.241.148.33
198.54.115.43
160.153.129.236
198.187.29.251
188.165.205.198
145.14.144.214
145.14.145.229
49.12.122.233
Hashes
cfd101cc1ca89fa01292df5e366f0bb1eab98c59eb9a9d98a97ac3467c7cdaa4
cbba68b38ac9d1694b79a6c58863dcc556d593978da1c5d122b8ac1e0e8ef5cd
cf14361809b82f7e018f3242c44686ec5f737c9255c62efd127d1046e3a8583d
691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
fa38ec9464602a1727813004fc616d9d0359c37da01b7d07c3e38784c0b2a46d
de1730eddefee2b8d8193d92b02fc5a3fd1bf6d54c6f55eff53c85c8a2501a79
413a42c64c862a424e79979d3026c1f26b024165844955b79ed1b721452cb5a3
1c039d77c39da45843e7fcff8edc86b1c9233d95b0f566769e6797df11a34ec9
c55c6d621f59557a8d383b1eb01ac9fd9de56e22fde72e1a46ebc08e18f28169
4c7ce63cd966e72e5d94f6dc8b0f82cec35b88b1a8d24305c52a7106cdad5ad9
a06a0a525053cb7019e362e978e55c7145d90374badf173350514a1a06dceaa8
22729061a1c533ec5e1a4720c9007ddb77cfd1187d2958b9f6635224dbe3b4fd
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
e0ea4299a2c8f25826308ad9892c4fce62b4e9d2c8af22d4fb7c7a5ea7888f3d
ed133e3bc6f781c4a981f93c180e38c70572ad80e48c12294585767e583b9d0f
42304391419c6a633348f4bcc230e32b7868586bbe9e6456ac830bad404b7c7f
9539683bd6c01e6355772a59252bc6902d60353829df7e135c67bc3d44d49fd3
dcb7d0214c7253a6acfe023f50e9bdf6f7586e15935037ef85f93024fa1115d5
249026be43affbdc61be8dd1aae8602668ba6bee72e43d4760b2acc7ab1526d4
f874a58fa2ede6f9ed3fecb71259c1190e2d8c47d71b05e30e66bd727233551a
Domains
isns.net
qxq.ddns.net
krupskaya.com
m-onetrading-jp.com
majul.com
thuocnam.tk
vcctggqm3t.dattolocal.net
www.hyssnauae.com
suabepga.net
smtp.aiotecs.com
elx01.knas.systems
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
e8960.b.akamaiedge.net
smtp.recornit.com
smtp.maizinternational.com
smtp.telenor-com.xyz
smtp.pdcblt.net
smtp.raymond-john.com
smtp.ametexegypts.info
smtp.nutritionauctores.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More