New malware campaigns leveraging a new variant of the HawkEye data stealer have been observed by experts at Talos. has been under active development since at least 2013. The malicious code is under continuous enhancement, it is offered for sale on various hacking forums as a keylogger and stealer, it allows to monitor systems and exfiltrate information.
The latest variant appeared in the cybercrime underground in December 2018, it was named
The malicious code also comes with a Terms of Service agreement that provides some additional insight, for example, the author specifies that
Experts at Talos observed threat actors spreading the malware via malicious email campaigns starting with the second half of 2018 and continuing into 2019.
“For several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the
“The email campaigns that have been observed feature characteristics that are consistent with what is commonly seen with
The messages use weaponized Microsoft Excel, RTF and DOC documents to deliver the malware.
“The campaign starts with sending the aforementioned Excel sheets that exploit the well-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in Microsoft Office.” continues the analysis.
In some cases, experts observed threat actors using file-sharing platforms like Dropbox for hosting the documents rather than directly attaching them.
Many of the distribution servers hosting the HawkEye binaries also contain additional stealers, RATs, and other malware.
The keylogger also implements anti-analysis features and is able to disable certain anti-virus solutions.
“As mentioned above, in the comments
The malware attempts to gather as much possible information from infected systems, including machine name, username, privileges, country, IP, MAC address, BIOS, operating system, hardware data, installed browsers, antivirus, and firewalls.
The malware also steals passwords from several browsers, including FileZilla, Beyluxe Messenger, CoreFTP, and the video game Minecraft. The stolen data is sent to the attacker’s email address.
The malware is still using the MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords.
“Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,” Talos concludes. “HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts.”
(SecurityAffairs – malware, HawkEye)