Malware attacks leveraging a new variant of the
The latest variant appeared in the cybercrime underground in December 2018, it was named HawkEyeReborn v9. The author is selling it through a licensing model and is also offering access to updates for specific periods of time.
“IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world.” reads the analysis published by Cisco Talos. “In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an adva
In April 2019, threat actors launched numerous campaigns aimed at targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others.
Attackers delivered the keylogger through malspam campaigns focused on business users. The messages pose as messages sent from a large bank in Spain or fake emails from legitimate companies or from other financial institution.
“X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts.” continues the post.
Experts noticed that the malspam campaign is originated from Estonia, the malware while experts observed infections worldwide.
“A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets.” concludes Cisco. “It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns,” IBM concluded.