A recent attack wave involving HawkEye malware sends data stolen from its victims to another keylogger provider’s website.
On 21 May, My Online Security came across a new sample of HawkEye. The actual delivery mechanism itself wasn’t unique compared to previous attacks involving the malware. In this particular instance, the attack email used the lure of a fake payment receipt to trick recipients into opening a malformed RTF file/Microsoft Word document. These attachments contained a macro script or embedded OLE object designed to infect the user with the malware.
By analyzing this infection chain, My Online Security found that the RTF document contacted https://bit[dot]ly/2WRVGFr, a site which redirected to https://filesend[dot]ga/ton[dot]edee for downloading the threat. This effort revealed that the attack had registered 124 clicks since going live on 20 May 2019.
My Online Security then used the Anyrun online sandbox to select the network connections tab and inspect the SMTP port 587 entry gator3285.hostgator.com. Doing so revealed that the sending and receiving email address for all data stolen from the HawkEye sample was firstname.lastname@example.org.
It is this discovery that grabbed the interest of My Online Security. As explained in its blog post:
This is where it becomes more interesting than usual because spytector.com is a website selling an “undetectable” keylogger and info stealer. I have no way of knowing if the email address is a compromised email address, which is very common for Hawkeye campaigns, which would be very poetic justice for a keylogger vendor. Or whether the sellers of Spytector are not doing very well and need an additional source of income so are Hawkeye to steal more.
No user wants to fall victim to a keylogger campaign that sends their stolen data to another keylogger site. Acknowledging that fact, users should protect themselves by not enabling macros or editing in a Microsoft Office attachment for any reason. They should also familiarize themselves with some of the most common phishing attacks in circulation today.