New HAWKBALL Backdoor Targets Government Sector in Central Asia (Jun 5, 2019)
A newly-discovered backdoor called HAWKBALL was recently observed in a campaign targeting Russian-speaking government entities in Central Asia. According to FireEye researchers, upon successful infection, HAWKBALL offers the attackers a range of malicious capabilities, including creating, deleting, and uploading files, delivering additional payloads,and surveying the host to collect victim information. To deliver the backdoor, attackers send a malicious document claiming to be from an anti-terrorist organization. The file uses an OLE object “that uses Equation Editor to drop the embedded shellcode in %TEMP%” and exploits two Microsoft Office vulnerabilities, “CVE-2017-11882” and “CVE-2018-0802” to infect a target machine. HAWKBALL communicates with a hard-coded C2 server over HTTP to exfiltrate the victim’s information, to include computer name, IP address, OS version, and user name, and performs actions to check if it is being debugged.
Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.