We start the week with a new rule from Emir Erdogan – HawkEye Multiple Detection (Covid19 Themed Phishing Campaign). This malware is also known as Predator Pain steals a variety of sensitive information from the infected system, including bitcoin wallet information and credentials to browsers and mail clients. The stealer is capable of taking screenshots and can act as a keylogger. The malware is distributed since 2013, it is available as a service on the dark web, and its authors involve their customers in reselling the malware. Thanks to this activity, almost every day new HawkEye infostealer samples are uploaded to any.run. It is usually used at the beginning of an attack to collect information and credentials before installing other tools, especially since a downloader function was discovered in recently discovered samples.
A rule by Emir Erdogan discovers HawkEye variants that are distributed via COVID-19 themed phishing emails targeted at multiple organizations in the healthcare sector. The threat actor behind this campaign cannot be determined, but security researchers at Anomali believe they show a moderate-level of sophistication.
The rule has translations for the following platforms:
SIEM: ArcSight, QRadar, Splunk, Graylog, ELK Stack, RSA NetWitness, Logpoint, Humio
EDR: Carbon Black
Tactics: Execution, Persistence, Privilege Escalation, Defense Evasion
Techniques: Process Injection (T1055), Scheduled Task (T1053), Software Packing (T1045)
We also want to draw your attention to the updated community rule by Joseph Kamau, another participant in the Threat Bounty Program that detects this malware family: https://tdm.socprime.com/tdm/info/UfASCTRThrpD/ucL5um0BEiSx7l0HUYUP/
More related rules:
Hawkeye keylogger detector by Lee Archinal – https://tdm.socprime.com/tdm/info/vQ4U4oKDynbo/ss22ImsBohFCZEpaTLaW/
HawkEye malware – Coronavirus scam (Sysmon detection) by Ariel Millahuel – https://tdm.socprime.com/tdm/info/VuI07TPn1F2J/AbHIBnEBqweaiPYISiu3/
Hawkeye Strain from Purchase List PDF (Sysmon Behavior)(19-March-2020) by Lee Archinal – https://tdm.socprime.com/tdm/info/G8ZfXLdGYn0Q/i7FZ93ABqweaiPYIJiTQ/