Business Users Targeted by HawkEye Keylogger Malware

HawkEye keylogger campaigns observed in April and May 2019 focused on targeting business users, IBM X-Force security researchers say. 


Under active development since at least 2013, the HawkEye keylogger has been marketed on dark web forums for the past few years for its ability to steal and exfiltrate sensitive information from various applications. 


HawkEye Reborn v9, the latest variant of the malware, has been around for the past several months, being advertised as an "Advance Monitoring Solution." The malware was sold to a new owner in December 2018 and is available under a licensing model, with updates promised for specific periods of time. 


In addition to stealing sensitive information, HawkEye can download additional malware onto the infected machines, which allows its operators to take advantage of the created botnets for additional monetization. 


Campaigns observed in April 2019 were targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others, IBM reports


The keylogger is being distributed via malicious spam emails, now with a clear focus on business users, likely in an attempt to make higher profits, compared to attacking individual users. 


“Businesses have more data, many users on the same network and larger bank accounts that criminals prey on. X-Force is not surprised to see HawkEye operators follow the trend that’s become somewhat of a cybercrime norm,” IBM notes. 


The malicious emails observed in these attacks pose as messages coming from a large bank in Spain (or fake emails from legitimate companies or from other banks), while the infection process leverages various executable files that use malicious PowerShell scripts. 


IBM noticed that, while the targeted users ..