New HawkEye Reborn Variant Emerges Following Ownership Change
(Apr 15, 2019)
Researchers from Cisco Talos have observed a new variant, “Reborn v9, Version 18.104.22.168,” of the keylogger and information-stealing malware, “HawkEye,” being distributed via phishing emails to various organisations. The emails are themed around invoice documents, bills, statements, order confirmations, or other corporate functions, and contain an attached Excel spreadsheet that contains a macro-enabled document. The malicious spreadsheet exploits registered vulnerability, “CVE-2017-11882,” that allows for arbitrary code execution in Microsoft Office and executes shellcode. Upon execution, the HawkEye keylogger is installed on the infected machine and steals information such as system information, passwords from common web browsers and Minecraft, clipboard content, and can take screenshots from the desktop and webcam.
Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.