Hawkeye Keylogger via Fake Receipt. Stolen Data Sent to Another Keylogger Site (May 20, 2019)
Security researchers have noticed a decline in malspam campaigns over the past six weeks, however, there has been one observation of a low-quantity campaign delivering the “Hawkeye” keylogger. The actors behind this campaign are distributing a version of Hawkeye that is different than previous versions in that the location for the stolen data and the distributed email is different. The malspam emails purport that the recipient has made a payment and claims that the receipt is attached that, if opened, prompts macros to be enabled. The Hawkeye infection process begins once macros are enabled. Interestingly, the actors left the email address that receives the stolen information (chit@spytector[.]com) is legible in plain text.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Additionally, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management. Anti-spam and antivirus applications provided from trusted vendors should also be employed.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.