HAWKEYE Remote Access Trojan

HAWKEYE (also known as Hawkeye Keylogger or iSpy) is a remote access trojan sold on an as-a-service basis through a number of dark web forums.

Threat ID:: CC-2958
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Email spam, Exploit kit
Published:: 5 March 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

HAWKEYE (also known as Hawkeye Keylogger or iSpy) is a remote access trojan sold on an as-a-service basis through a number of dark web forums.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

It was first observed in late 2014 and has been used in campaigns primarily targeting financial, governmental, and engineering organisations.

Threat actors using HAWKEYE may deliver it in any way they wish, although it has been distributed primarily through spam campaigns. Attachments sent in these campaigns contain a number of exploits for known vulnerabilities that will be executed when the files are opened. Watering hole attacks and exploit kits have also been observed as alternative distribution methods.

Once delivered, HAWKEYE extracts an embedded Dynamic Link-Library (DLL) file before loading it into memory using process hollowing. This DLL is then used to extract and execute other modules. HAWKEYE's primary module is used to log keystrokes, mouse movements and clipboard content, as well as to record the screen, microphone and Voice Over IP (VOIP) conversations. Other modules are used to extract browser and email credentials, and to visit certain URLs in a hidden browser for click-based monetisation.

For further information:

Update 13 Mar 2019

Hawkeye has been observed being delivered in a new spam campaign. The emails include two attachments that use the .z file extension, however it is believed that these are actually .iso files.

Update 17 Apr 2019

The latest version of Hawkeye, known as Hawkeye Reborn v9, is now being sold online. The variant uses a more detailed control panel but provides no new functionality.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

CVE-2010-3333

CVE-2012-0158

CVE-2017-0199

CVE-2017-1182

Last edited: 14 February 2020 2:48 pm