At the onset, Office 365 ATP blocked the email campaign and protected customers, 52% of whom are in the software and tech sector. Companies in the banking (11%), energy (8%), chemical (5%), and automotive (5%) industries are also among the top targets<\/p>\n
Office 365 ATP uses intelligent systems that inspect attachments and links for malicious content to protect customers against threats like Hawkeye in real time. These automated systems include a robust detonation platform, heuristics, and machine learning<\/a> models. Office 365 ATP uses intelligence from various sensors, including multiple capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP<\/a>).<\/p>\n Windows Defender AV (a component of Windows Defender ATP) detected and blocked the malicious attachments used in the campaign in at least 40 countries. United Arab Emirates accounted for 19% of these file encounters, while the Netherlands (15%), the US (11%), South Africa (6%) and the UK (5%) make the rest of the top 5 countries that saw the lure documents used in the campaign. A combination of generic and heuristic protections in Windows Defender AV (TrojanDownloader:O97M\/Donoff<\/a>, Trojan:Win32\/Tiggre!rfn<\/a>, Trojan:Win32\/Bluteal!rfn<\/a>, VirTool:MSIL\/NetInject.A<\/a>) ensured these threats are blocked in customer environments.<\/p>\n Figure 2. Top countries that encountered malicious documents used in the Hawkeye campaign<\/em><\/p>\n As part of our job to protect customers from malware attacks, Office 365 ATP researchers monitor malware campaigns like Hawkeye and other developments in the cybercriminal landscape. Our in-depth investigation into malware campaigns like Hawkeye and many others adds to the vast threat intelligence we get from the Microsoft Intelligent Security Graph, which enables us to continuously raise the bar in security. Through the Intelligent Security Graph<\/a>, security technologies in Microsoft 365 share signals and detections, allowing these technologies to automatically update protection and detection mechanisms, as well as orchestrate remediation across Microsoft 365.<\/p>\n Figure 3. Microsoft 365 threat protection against Hawkeye<\/em><\/p>\n Despite its name, Hawkeye Keylogger – Reborn v8<\/em> is more than a common keylogger. Over time, its authors have integrated various modules that provide advanced functionalities like stealth and detection evasion, as well as credential theft and more.<\/p>\n Malware services like Hawkeye are advertised and sold in the deep web, which requires anonymity networks like Tor to access, etc. Interestingly, the Hawkeye authors advertised their malware and even published tutorial videos on a website on the surface web (that has since been taken down). Even more interesting, based on underground forums, it appears the malware authors have employed intermediary resellers, an example of how cybercriminal underground business models expand and evolve.<\/p>\n Typical of malware campaigns, the cybercriminals undertook the following steps:<\/p>\n Like other malware toolkits, Hawkeye comes with an admin panel that cybercriminals use to monitor and control the attack.<\/p>\n Figure 4: Hawkeye\u2019s admin panel<\/em><\/p>\n Interestingly, some of the methods used in this Hawkeye campaign are consistent with previous attacks. This suggests that the cybercriminals behind this campaign may be the same group responsible for malware operations that delivered the remote access tool (RAT) Remcos and the info-stealing bot malware Loki. The following methods were used in these campaigns:<\/p>\n In late April, Office 365 ATP analysts spotted a new spam campaign with the subject line RFQ-GHFD456 ADCO 5647 deadline 7th May<\/em> carrying a Word document attachment named Scan Copy 001.doc<\/em>. While the attachment\u2019s file name extension was .doc, it was in fact a malicious Office Open XML format document, which usually uses a .docx file name extension.<\/p>\n In total, the campaign used four different subject lines and five attachments.<\/p>\n Figure 5: Sample emails used in the Hawkeye campaign<\/em><\/p>\n Because the attachment contains malicious code, Microsoft Word opens with a security warning. The document uses a common social engineering lure: it displays a fake message and an instruction to \u201cEnable editing\u201d and \u201cEnable content\u201d.<\/p>\n Figure 6: The malicious document with social engineering lure<\/em><\/p>\n The document contains an embedded frame that connects to a remote location using a shortened URL.<\/p>\n Figure 7: frame in settings.rels.xml on the document<\/em><\/p>\n The frame loads an .rtf file from hxxp:\/\/bit[.]ly\/Loadingwaitplez<\/em>, which redirects to hxxp:\/\/stevemike-fireforce[.]info\/work\/doc\/10.doc<\/em>.<\/p>\n Figure 8: RTF loaded as a frame inside malicious document<\/em><\/p>\n The RTF has an embedded malicious .xlsx file with macro as an OLE object, which in turn contains a stream named PACKAGE that contains the .xlsx contents.<\/p>\n The macro script is mostly obfuscated, but the URL to the malware payload is notably in plaintext.<\/p>\n Figure 9: Obfuscated macro entry point<\/em><\/p>\n De-obfuscating the entire script makes its intention clear. The first section uses PowerShell and the System.Net.WebClient<\/em> object to download the malware to the path C:\\Users\\Public\\svchost32.exe<\/em> and execute it.<\/p>\n The macro script then terminates both winword.exe<\/em> and excel.exe<\/em>. In specific scenarios where Microsoft Word overrides default settings and is running with administrator privileges, the macro can delete Windows Defender AV\u2019s malware definitions. It then changes the registry to disable Microsoft Office\u2019s security warnings and safety features.<\/p>\n In summary, the campaign\u2019s delivery comprises of multiple layers of components that aim to evade detection and possibly complicate analysis by researchers.<\/p>\n The downloaded payload, svchost32.exe<\/em>, is a .NET assembly named Millionare<\/em> that is obfuscated using a custom version of ConfuserEx<\/em>, a well-known open-source .NET obfuscator.<\/p>\n The obfuscation modifies the .NET assembly\u2019s metadata such that all the class and variable names are non-meaningful and scrambled names in Unicode. This obfuscation causes some analysis tools like .NET Reflector<\/em> to show some namespaces or classes names as blank, or in some cases, display parts of the code backwards.<\/p>\n Figure 12: .NET Reflector presenting the code backwards due to obfuscation<\/em><\/p>\n Finally, the .NET binary loads an unpacked .NET assembly, which includes DLL files embedded as resources in the portable executable (PE).<\/p>\n Figure 13: Loading the unpacked .NET assembly during run-time<\/em><\/p>\n The DLL that initiates the malicious behavior is embedded as a resource in the unpacked .NET assembly. It is loaded in memory using process hollowing<\/a>, a code injection technique that involves spawning a new instance of a legitimate process and then \u201chollowing it out\u201d, i.e., replacing the legitimate code with malware.<\/p>\n Figure 14: In-memory unpacking of the malware using process hollowing.<\/em><\/p>\n Unlike previous Hawkeye variants (v7), which loaded the main payload into its own process, the new Hawkeye malware injects its code into MSBuild.exe<\/em>, RegAsm.exe<\/em>, and VBC.exe<\/em>, which are signed executables that ship with .NET framework. This is an attempt to masquerade as a legitimate process.<\/p>\n Figure 15: Obfuscated calls using .NET reflection to perform process hollowing injection routine that injects the malware\u2019s main payload into RegAsm.exe<\/em><\/p>\n Additionally, in the previous version, the process hollowing routine was written in C. In the new version, this routine is completely rewritten as a managed .NET that calls the native Windows API.<\/p>\n Figure 16: Process hollowing routine implemented in .NET using native API function calls<\/em><\/p>\n The new Hawkeye variants created by the latest version of the malware toolkit have multiple sophisticated functions for information theft and evading detection and analysis.<\/p>\n The main keylogger functionality is implemented using hooks that monitor key presses, as well as mouse clicks and window context, along with clipboard hooks and screenshot capability.<\/p>\n It has specific modules for extracting and stealing credentials from the following applications:<\/p>\n Like many other malware campaigns, it uses the legitimate BrowserPassView<\/em> and MailPassView<\/em> tools to dump credentials from the browser and email client. It also has modules for taking screenshots of the desktop, as well as the webcam, if it exists.<\/p>\n Notably, the malware has a mechanism to visit certain URLs for click-based monetization.<\/p>\n On top of the processes hollowing technique, this malware uses other methods for stealth, including alternate data streams that remove mark of the web (MOTW) from the malware\u2019s downloaded files.<\/p>\n This malware can be configured to delay execution by any number of seconds, a technique used mainly to avoid detection by various sandboxes. Further, it blocks access to certain domains that are usually associated with antivirus or security updates. It does this by modifying the HOSTS file. The list of domains to be blocked is determined by the attacker using a config file.<\/p>\n This malware protects its own processes. It blocks the command prompt, registry editor, and task manager. It does this by modifying registry keys for local group policy administrative templates. It also constantly checks active windows and renders action buttons unusable if the window title matches \u201cProcessHacker\u201d, \u201cProcess Explorer\u201d, or \u201cTaskmgr\u201d.<\/p>\n Meanwhile, it prevents other malware from infecting the machine. It repeatedly scans and removes any new values to certain registry keys, stops associated processes, and deletes related files.<\/p>\n Hawkeye attempts to avoid automated analysis. The delay in execution is designed to defeat automated sandbox analysis that allots only a certain time for malware execution and analysis. It likewise attempts to evade manual analysis by monitoring windows and exiting when it finds the following analysis tools:<\/p>\n Hawkeye illustrates the continuous evolution of malware in a threat landscape fueled by the cybercriminal underground. Malware services make malware accessible to even unsophisticated operators, while simultaneously making malware more durable with advanced techniques like in-memory unpacking and abuse of .NET\u2019s CLR engine for stealth. In this blog we covered the capabilities of its latest version, Hawkeye Keylogger – Reborn v8<\/em>, highlighting some of the enhancements from the previous version. Given its history, Hawkeye is likely to release a new version in the future.<\/p>\n Organizations should continue educating their employees about spotting and preventing social engineering attacks. After all, Hawkeye\u2019s complicated infection chain begins with a social engineering email and lure document. A security-aware workforce will go a long way in securing networks against attacks.<\/p>\n More importantly, securing mailboxes, endpoints, and networks using advanced threat protection technologies can prevent attacks like Hawkeye, other malware operations, and sophisticated cyberattacks.<\/p>\n Our in-depth analysis of the latest version and our insight into the cybercriminal operation that drives this development allow us to proactively build robust protections against both known and unknown threats.<\/p>\n Office 365 Advanced Threat Protection (Office 365 ATP<\/a>) protects mailboxes as well as files, online storage, and applications from malware campaigns like Hawkeye. It uses a robust detonation platform, heuristics, and machine learning<\/a> to inspect attachments and links for malicious content in real-time, ensuring that emails that carry Hawkeye and other threats don\u2019t reach mailboxes and devices. Learn how to add Office 365 ATP to existing Exchange or Office 365 plans<\/a><\/strong>.<\/p>\n Windows Defender Antivirus (Windows Defender AV<\/a>) provides an additional layer of protection by detecting malware delivered through email, as well as other infection vectors. Using local and cloud-based machine learning, Windows Defender AV\u2019s next-gen protection can block even new and unknown threats on Windows 10 and Windows 10 in S mode<\/a>.<\/p>\n Additionally, endpoint detection and response (EDR)<\/a> capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP<\/a>) expose sophisticated and evasive malicious behavior, such as those used by Hawkeye. Sign up for free Windows Defender ATP trial<\/a>.<\/strong><\/p>\n Windows Defender ATP\u2019s rich detection libraries are powered by machine learning and allows security operations teams to detect and respond to anomalous attacks in the network. For example, machine learning detection algorithms surface the following alert when Hawkeye uses a malicious PowerShell to download the payload:<\/p>\n Figure 16: Windows Defender ATP alert for Hawkeye\u2019s malicious PowerShell component<\/em><\/p>\n Windows Defender ATP also has behavior-based machine learning algorithms that detect the payload itself:<\/p>\n Figure 17: Windows Defender ATP alert for Hawkeye\u2019s payload<\/em><\/p>\n These security technologies are part of the advanced threat protection solutions in Microsoft 365<\/a>. Enhanced signal sharing across services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph enables the automatic update of protections and orchestration of remediation across Microsoft 365.<\/p>\n <\/p>\n <\/p>\n Office 365 ATP Research<\/strong><\/em><\/p>\n <\/p>\n <\/p>\n Files (SHA-256)<\/p>\n *Updated 07\/12\/18 (Removed statement that Hawkeye Keylogger is also known as iSpy Keylogger<\/p>\n <\/p>\n <\/p>\n Questions, concerns, or insights on this story? Join discussions at the Microsoft community<\/a> and Windows Defender Security Intelligence<\/a>.<\/p>\n Follow us on Twitter @WDSecurity<\/a> and Facebook Windows Defender Security Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Hawkeye Keylogger is an info-stealing malware that\u2019s being sold as malware-as-a-service. Over the years, the malware authors behind Hawkeye have improved the malware service, adding new capabilities and techniques.<\/p>\n","protected":false},"author":61,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3727],"tags":[3896],"coauthors":[3380],"class_list":["post-84097","post","type-post","status-publish","format-standard","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-attacker-techniques-tools-and-infrastructure","tag-credential-theft"],"yoast_head":"\n![\"Top](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig1-hawkeye-industries.png\")
Figure 1. Top industries targeted by the April 2018 Hawkeye campaign<\/em><\/p>\n![\"Top](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/07\/fig2-hawkeye-countries.png\")
<\/p>\n![\"Microsoft](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/07\/fig3-end-to-end-protection-microsoft-365.png\")
<\/p>\nCampaign overview<\/h2>\n
![\"Hawkeye](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig-callout-hawkeye.png\")
Our investigation into the April 2018 Hawkeye campaign shows that the cybercriminals have been preparing for the operation since February, when they registered the domains they later used in the campaign.<\/p>\n\n
![\"Hawkeye\u2019s](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig4-hawkeye-admin-panel.png\")
<\/p>\n\n
Point of entry<\/h2>\n
![\"\"](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig5a-email-sample-1.png\")
\u00a0![\"Sample](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig5b-email-sample-2.png\")
<\/p>\n![\"The](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig6-malicious-document.png\")
<\/p>\n![\"Frame](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig7-frame.png\")
<\/p>\n![\"RTF](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig8-rtf.png\")
<\/p>\n![\"Obfuscated](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig9-obfuscated-macro.png\")
<\/p>\n![\"The](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/07\/fig10-delivery-mechanism.png\")
Figure 10: The campaign\u2019s delivery stages<\/em><\/p>\n![\"Obfuscated](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/07\/fig11-obfuscated-net.png\")
Figure 11: Obfuscated .NET assembly Millionare showing some of the scrambled names<\/em><\/p>\n![\".NET](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/07\/fig12.png\")
<\/p>\n![\"Loading](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/07\/fig13-unpacked-net.png\")
<\/p>\nMalware loader<\/h2>\n
![\"In-memory](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/07\/fig14-in-memory-unpacking.png\")
<\/p>\n![\"Obfuscated](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig15-obfuscated-calls.png\")
<\/p>\n![\"Process](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig16-process-hollowing.png\")
<\/p>\nMalware functionalities<\/h2>\n
Information theft<\/h3>\n
\n
Stealth and anti-analysis<\/h3>\n
\nIt prevents antivirus software from running using an interesting technique. It adds keys to the registry location HKLM\\Software\\Windows NT\\Current Version\\Image File Execution Options<\/em> and sets the Debugger<\/em> value for certain processes to rundll32.exe<\/em>, which prevents execution. It targets the following processes related to antivirus and other security software:<\/p>\n\n
\n
Defending mailboxes, endpoints, and networks against persistent malware campaigns<\/h2>\n
![\"Windows](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig16-wdatp-powershell.png\")
<\/p>\n![\"Windows](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/07\/fig17-wdapt-suspicious-file.png\")
<\/p>\nIndicators of Compromise (Ioc)<\/h2>\n
Email subject lines<\/h3>\n
\n
Attachment file names<\/h3>\n
\n
Domains<\/h3>\n
\n
Shortened redirector links<\/h3>\n
\n
\n
\nTalk to us<\/strong><\/h4>\n