FireSale HackBoy

Knowledge Shared By FireSale HackBoy...

Hacking

The Art Of Exploitation...

Ethical Hacking

Security Experts...Same Techniques To Make Hacker's Stuff Useless.

Black Hat Hacking

Dark Side Of Hacking... In Short Destruction Of Cyber Stuff.

Digital Stuff

All The Digital Stuff Is Under The Influence Of Cyber Attacks... Be Safe

Saturday, November 30, 2024

Risk resilience: Navigating the risks that board’s can’t ignore in 2025

2025 promises to be a pivotal year for corporate leaders. Technological advancements, geopolitical shifts, and heightened risks demand unprecedented vigilance and agility. Here’s the real question – how prepared is your board to confront these challenges and turn them into opportunities?

The risks of tomorrow are already taking shape. Generative AI has rapidly emerged as a transformative force, offering unprecedented opportunities for innovation and efficiency – but its ethical and nefarious uses remain top of mind. Cybersecurity remains a perennial concern, with an ever-evolving threat landscape that requires constant vigilance.

Going further, the geopolitical landscape continues to impact global trade and business operations, particularly with increasing tensions between major world powers. Lastly, financial fraud, ethics, and compliance issues underscores the importance of robust governance structures, as demonstrated by widely publicised instances of fraud, like the Wirecard scandal.

Success hinges on proactive governance. As such, here are my predictions on these four risks, along with actionable insights that leaders and boards should consider in 2025.

1.Generative AI as a double-edged sword

Generative AI is revolutionising industries with speed and precision, but it’s also raising complex ethical and operational risks. Diligent’s recent survey reveals that 48% of organisations expect AI to automate decisions, but flawed or incomplete data could undermine outcomes and trust. This is why fostering AI risk resilience through responsible governance is crucial.

Boards must establish robust AI governance frameworks aligned with regulations like the EU AI Act and expected UK legislation. Beyond compliance, regular reviews of AI’s impact on operations, employees, and customers are essential to address unintended consequences early.

Ultimately, boards that deeply engage with generative AI will be the ones to unlock its full potential while mitigating risks.

2.Cybersecurity will be the greatest risk for businesses

With 75% of UK businesses having experienced a cybersecurity incident in the last year, cybersecurity isn’t just an IT concern – it’s a business priority. Our research found that companies with advanced cybersecurity performance deliver 372% higher shareholder return, underscoring its impact on value creation.

In 2025, businesses are expected to face a perfect storm of cyber risks – evolving threats, increasing regulatory pressure, and talent shortages. One overlooked culprit is technology debt. This occurs when an IT team prioritises speed over long-term design and must make changes to the system later. This hidden enemy often leaves businesses ill-equipped to recover from attacks.

To ensure cyber risk resilience, leadership must treat it as a core business priority. This means putting in place a robust cyber governance program including regular risk assessments and vulnerability management, ensuring employees, management and leadership are trained on the latest developments in cybersecurity. They should also employ continuous monitoring and incident response capabilities, and ensure methods are in place for frequent and transparent communication between the CISO and board.

With new regulations like NIS2 and DORA taking effect, cybersecurity will remain a top priority. Boards that align cyber strategies with business objectives will lead the way.

3.Navigating geopolitical uncertainty: From supply chains to sanctions

The geopolitical landscape is more turbulent than ever. Companies will need to prepare for potential shocks like regional conflicts, supply chain disruptions, or even another pandemic.

If geopolitical risks feel dizzyingly complex, scenario planning will be a powerful tool in mapping out different political and economic scenarios. By envisioning various outcomes, boards can better understand their vulnerabilities, prepare tailored responses and enhance risk resilience.

To prepare for the year ahead, board and management teams should ask questions such as: How exposed are we to geopolitical risks in our supply chain? Are we engaging effectively with local governments in key regions? What contingencies are in place for workforce challenges, particularly in the UK?

Staying informed and adaptable enables boards to turn geopolitical risks into opportunities for growth and resilience.

4.Financial fraud and ethics: Lessons from Wirecard and beyond

The Wirecard scandal revealed how even seemingly successful companies can collapse under the weight of poor governance. In 2025, financial fraud will remain a pressing concern, underscoring the need for robust compliance structures and a culture of transparency to foster financial risk resilience.

Whistleblower empowerment is crucial. Encouraging employees to speak up without fear of retaliation can prevent misconduct and safeguard both reputation and shareholder trust.

As such, now and in 2025, board members will need to get familiar with the operational heartbeat of the business. There should also be a direct, consistent line of communication from the Chief Compliance Officer (CCO) or General Counsel (GC) to the board. Technology will be critical to streamline communication and identify red flags in real-time.

Good governance requires more than processes; it demands a culture of integrity from the top down. Boards that lead by example can inspire lasting change.

Looking at 2025 and beyond: strengthening risk resilience

The risks of 2025 are formidable, but so are the opportunities for those who lead with purpose. With informed leadership and collaboration, we can navigate the complexities of the modern business environment with confidence and resilience.

Resilience will be the defining trait of successful boards and businesses in the years ahead. It requires not only addressing known risks but also preparing for the unexpected.

By prioritising scenario planning, fostering a culture of transparency, and aligning risk management with strategic goals, boards can navigate uncertainty with confidence.

 

The post Risk resilience: Navigating the risks that board’s can’t ignore in 2025 appeared first on Cybersecurity Insiders.


November 30, 2024 at 12:17PM

Friday, November 29, 2024

COOs Will Make Impact-Based Security a Mainstream Requirement

Cyber risk management accounts for the probability of attacks on operational technology (OT) at large industrial facilities, including all the components that control equipment, automation, safety, network communications, their infrastructure, and more. However, a gap often exists between the CISO and OT manager at these facilities in terms of who is responsible for overseeing OT security for certain systems and devices.

Some vulnerabilities may allow exploits hidden in equipment to install malware that later compromises related systems and devices. Other threats involve manipulating controls to damage hardware, interfering with values to mislead operators, or shutting down machines to cause business interruption.

Cyber incidents have caused increasing financial damages, even for the most prepared organizations. Based on these escalating threats, we should expect risk-based OT security to become more mainstream over the coming year, especially for Chief Operating Officers.

The COO will become increasingly involved in OT cyber decision-making to help bridge the gray area between CISOs and on-site facility managers. After all, the COO is responsible for achieving maximum operational production from all facilities, effectively serving as the general manager responsible for profit and loss (P&L). 

The COO controls the facilities by determining how much gets spent on operations, maintenance, and reliability. The COO also fills a key decision-making role when it comes to migration and upgrades of end-of-life OT system infrastructure.

In mature organizations, the COO might transfer cyber responsibility to the CISO or CIO, but in many companies the Engineering/Controls/OT people report up into the Operations org chart, isolated from IT and the CIO and CISO. If the COO perceives that OT cyber risk is not a problem, they may defer upgrading legacy systems and thereby actually increase their cyber risk. By continuing to focus on the CISO and OT site manager, we are overlooking the centerpiece of the org chart that represents the facility itself – the COO. 

We should also not overlook the role of physical security in cybersecurity, as these two disciplines have long remained separate. Experts on either side regularly exclude the other risk, such as when cybersecurity assessments exclude physical security risk, and vice versa. Improved physical security can help reduce many cyber risks, just as better cybersecurity can help protect physical access control systems. The assessment of these two related risks will become more interwoven, with the risk of physical access being reclassified as a cyber-attack vector.

COOs will also recognize that cyber insurance providers are increasingly pressuring enterprises to maintain better cyber risk hygiene, contributing to an overall improved risk-based cybersecurity agenda. Over the past five years, cyber insurers have reminded enterprises that basic cybersecurity measures are now mandatory for policy coverage, including network backups, multi-factor authentication, employee training, and strong password management policies. This trend will become even more pronounced as successful cyberattacks strike more industrial sites in the manufacturing, energy, utilities, and datacenter sectors. 

Impact-based risk assessments, that estimate the potential financial losses to the business due to a cyber event, will better resonate with the COO decision maker. Cybersecurity described in financial terms, the potential to disrupt operations and how much, can be used to help justify cybersecurity mitigations from COO-controlled budgets. If the cybersecurity mitigation can be presented with its operational loss reduction ROI, it is much better aligned with the financial metrics that the COO is rewarded for, versus traditional high/medium/low cyber risk rankings.

Another step forward will involve the growing combination of digital twins with AI to revolutionize how leaders tackle industrial cyber risk. Building a digital twin can give enterprises a substantial advantage over cybercriminals by running extensive what-if scenarios at scale. By mirroring their complex industrial environments in a digital format, enterprises can greatly improve the efficiency of their cyber risk and cybersecurity programs while achieving significant savings. 

Despite these gains, cyber risks will continue to pose a significant problem for OT facilities, from employees who require re-training on how to recognize AI-enhanced phishing emails to partners who lack basic cybersecurity programs. These risks can also involve contractors who are improperly onboarded and offboarded, or acquired companies/facilities that never implemented basic cyber hygiene practices such as password management policies and network segmentation.

We know that cyber risk management for OT facilities requires some way to estimate the severity of all these types of incidents and then set financial priorities accordingly. In this way, businesses can model the potential damages that a successful attack would inflict, this is called impact-based risk assessment. A rigorous cyber risk management approach needs to recognize an organization’s state of cybersecurity at any point in time, but it also must calculate how much the business is targeted based on its industry, key providers, products deployed, convergence, IT-OT integration, vulnerabilities, and many other parameters.

Impact-based risk assessments have become critical for enhancing cybersecurity assessments by adding all that contextual information into the evaluation. In this way, organizations can proactively manage their cyber risk portfolios to prioritize risk mitigation projects and make clearly informed cybersecurity investment decisions.

 

The post COOs Will Make Impact-Based Security a Mainstream Requirement appeared first on Cybersecurity Insiders.


November 29, 2024 at 03:16PM

Thursday, November 28, 2024

HawkEye Malware: Technical Analysis

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

History of HawkEye

HawkEye emerged before 2010, with records of its use and sale dating back to 2008, making it quite long-lived. After several spearphishing campaigns in which this well-known malware was attached, it gained significant popularity starting in 2013.

This keylogger has been available on various dark web sites, even having dedicated websites where the tool was sold. However, this keylogger has been cracked for years and used by different actors without going through the subscription method imposed by its creators, whose price ranged between $20 and $50. This has contributed to its continued notoriety, and it has been used not only by criminal actors but also by script kiddies due to its ease of use.

Although it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence during the COVID period. During this time, certain actors took advantage of the general hysteria to obtain company data through phishing campaigns.

Additionally, HawkEye has been used in conjunction with other loaders and/or malware that invoked this keylogger. Over its long trajectory, various actors and malware have been involved in attacks on companies, some of which include Galleon Gold, Mikroceen, iSPY crypter related with Gold Skyline, Remcos used on campaigns with HawkEye, Pony used on campaigns with HawkEye, etc.

Analysis in the ANY.RUN Sandbox

To conduct a quick analysis of HawkEye to extract critical data fast, we can use ANY.RUN’s Interactive Sandbox. The service lets us easily upload and detonate a sample in a safe virtual environment and engage with it and the system just like on a standard computer.

 

Analysis of a HawkEye sample in the ANY.RUN sandbox

Consider this analysis session, After executing the malware, the sandbox instantly identifies it as HawkEye and starts tracking its system and network activities. It also lists all the malicious actions performed by the threat and automatically maps them to MITRE ATT&CK TTPs.

 

HawkEye config extracted by the ANY.RUN Sandbox

It also generates a comprehensive report, lists indicators of compromise (IOCs), and extracts the sample’s config information.

To start using ANY.RUN, request a 14-day free trial and access all features. You can also take advantage of a Black Friday offer to buy a license and receive another for free.

Technical Analysis

HawkEye’s delivery methods are quite diverse compared to other malware. However, its execution and behavior have remained relatively consistent over the years. A behavior graph of what has been observed in recent months would look as follows:

Overview Graph

HawkEye graph

During the analysis process, I typically spend weeks, even months, collecting samples to understand how they function as a whole based on the existing variants. Therefore, we may observe variations among those presented. In most executions, we encounter enormous trees of processes based on their activities. To simplify, as you’ve seen in the previous graph, it’s not as complex compared to other stealers or RATs. It generally consists of an executable that drops others in temporary paths, then injects code into one of them or into a .NET-related software. Later, in memory, it gathers all possible data and sends it to a C&C.

ProcDOT detonation chart

Going straight to the point, in an initial execution of one of the samples I analyzed, we see a rather extensive process—a succession of execution copies launched in temporary paths.

囗 e | 。 「 e 「 e 15 , 32g K IS 旧 32K 24s2 囗 e | 。 e 26 , 456K 2 072K 2724 lgfpeßaxa 12 , S K 15 , 168K 2536 NVIDIA user apenence Dri 囗 se 「 「 exe 13 , 744 K 15 , 480 K 1700 asqlse 「 捣「 axe 26 , 46g K 29.004 K 2336

Process Tree execution (Image 1)

gfpeß axe sq I server exe qlsenjerexe Command Ljna: 14.976 K 28.472 K 16.920K 23.184K Vpp Data LocaI Temp Syst em sqlservar axe Data M_ocal Tamp Systam sqlservar exe

Process Tree execution (Image 2)

In this instance, they used the RoamingTemplates path, but this is highly variable depending on who created it. Generally speaking, they tend to abuse paths like AppDataRoaming and AppDataTemp, which are classic choices.

2X2 」 2 」 04 鬲 2 dwel 裟 op 長 、 ン ′ 工 0 巴 」 O 透 言 L 当 E20 ′ 2 ロ 2X2 」 2 」 0 鬲 2 五 Lue ト 鬲 ′ ′ 工 0 巴 」 型 言 u - E20 ′ 2 ロ dd ′ 2X2 」 2 」 0 - 叫 ′ 五 Lue ト 鬲 裟 ヴ ェ 0 巴 」 型 言 u 一 E20 ′ 2 ロ は d ′ 2X2 」 2 」 0 ( 叫 ′ 五 Lue ト 鬲 裟 ヴ ェ 0 巴 」 型 言 u 一 E20 ′ 2 ロ は d ′ 巴 2 的 コ ′ い 2 2 鬻 80 」 d 09 巴 2 的 コ ′ い 巴 2 的 コ ′ い 巴 2 的 コ ′ い 2 曰 - pe 当 66 2 曰 - pe 当 09 2 曰 - pe 当 09 2X2 」 2 」 0 - 2 ロ 2X2 」 2 」 0 - 2 ロ 2X2 」 2 」 。 - 2 ロ ェ ロ ェ ロ ェ ロ

Paths commonly abused (Image 1)

Зехр]огег ехе igfpewexe igfpewexe 2492 2536 2536 С [ JseB 03t в Тетр Syst ет vigfpeB ехе Ster1 Theed

 Paths commonly abused (Image 2)

C exe magen exe magart exe 1412 Z Process Creata 748 Process Start 748 Thread Create

Paths commonly abused (Image 3)

Here’s the list of paths observed for dropping files:

  • C:Users<user>AppDataLocalTemp
  • C:Users<user>AppDataRoaming
  • C:Users<user>AppDataRoamingMicrosoftWindowsTemplates
  • C:Users<user>AppDataLocalTempSystem
  • C:Users<user>Music

All of these files that are launched, and which we’ve observed executing in the previous step, are copies of themselves. The filenames are also highly variable, as you might expect, but they often try to have an icon that makes the victim think it’s a legitimate program, or the malware description might be altered to make it seem like legitimate software. 

Ultimately, after comparing the dropped files, we can see they are simple copies of the original, with the particularity that some versions launch them in hidden mode, so you can’t see them unless you’ve enabled the “View hidden files” function in Windows.

Duplicate files with hidden flags z explorer exe z explorer exe exe i%oersexe 1160 2492 Process Stan 2492 Create 1160 Load Hage I I Load 2492 Load image 2492 Process Create 2536 2536 Thread Create Dda arnngMicrosIflWr-dows O aming IMicrosc± "Terr-dates "exp I c•-er exe C -User C: I Jserz ON a LocSÄ, Tern p '-Sy<em pers exe c:wse .ihkye.exe : .iexplorer.exe sqlserver.exe Properties Computer Local Disk users Include in library Share with • a explorer.exe Computer Local Disk (CO Users Include in library • Share with • igfpers.exe sqlsetver.exe New f r New f older AppData Roaming Date modfied AppData Local Date modified Microsoft Application T emp System Type Application Application Windows Templates 151 KB 36 KB 151 KB Desktopihkye.exe : ppDataiRoamingWicroso identical .gfpers .exe P roperties Secuty exe (.exe) Type of fie: Description ' Inc*ion: Size on "c : ktrbutes: Secuty Detais Previous sqlserver exe &plicün (.exe) sqlserver exe CA Uses a ern 151 KB 152 KB (155.648 bytes) Previous Type of file: Desc@tion: Loc*ion Size: Size disk: Attributes @RexorVcZ NVIDIA user Chver Component Däa Local Tenp 36.0 KB 36.0 KB @ Read-onb• Hidden @Read-onb' Hidden

Hidden files duplication graph

During these file droppings, we can encounter both replicas of the original file in different paths, as well as support files whose functionality is typically to establish persistence (or check if it’s already done, and if not, do it) and to perform injector functions, which is a characteristic of this malware. In this case, the smaller binary is responsible for these actions. 

Computer Local Disk (C:) Users AppData Local Temp System Include in library Name Share with New folder Date modified igfpers.exe sqlserver.exe Type Application Application Size 36 KB 151 KB

Injector written in temporary folder

I check to see if there is any shared information between the two binaries and notice that certain parts of the code match the original. This will become relevant later, as right now we’re seeing them separately, but everything will make sense afterward.

Comparison of the injector and the Hawkeye bin

After this step, we can see how persistence is established. PredatorPain isn’t just a malware that establishes persistence once—it’s been observed to check and establish persistence up to three different times, depending on the phases (Loader > Injector > Payload). 

This makes it clear that the malware is determined to persist on the system, one way or another. At this stage, to avoid revealing persistence mechanisms through strings, it obfuscates a string and then decodes it to introduce, in this case, one of the binaries launched earlier. This practice isn’t as common and adds a level of sophistication not found in other samples.

public string e(string —int e. Length; e 255; num2 = Persistence hkey e) array chart) array = e.ToCharArray(); while (--num e) (char) ( array [num) return string. Intern (new string(array)); registryKey Identity Name SubKeyCcunt ValueCcunt checkMode keyName rerncteKey _identity Static members e . a Cnum2) e)); 11) [21 [3] [5] [71 [8] OxEA8F true); Type REG_SZ array [1] [2] [3] [4] [5] [7] [8] pubLIC static void ResistryKey registryKey if (resistryKey null) return; resistryKey . Close ( ) ; Resi stry. CurrentUser. char[Ox00000009] ox0073 's' ox006C 'l' 0*0073 Software CurrentVersion Run} Btringto—l] -NVIDIA User Experience Driver Component- {H KEV_C URREN T_tJSERlSoftwa tv ersion IRun ) rrentVersionRu n" Default Microsoft.Wi n32. SafeHa ndIe-s.SafeReg istryHa n d I e rrentVersionRu n" false Name valueNames (01 str array Opera bon; Result: Durabon; Type; Length: RegSe tVaIue HKCU Software Run WVIDIA user Experience Driver Component o, 0000233 NVIDIA user Experience Driver Component C p oca gfpers. exe c. •Xuses REG _SZ C: users @ NVIDIA user DnverCompone-t NVIDIA @RexorVcz exe KAppDa ta uocal ITempS ystem exe

Hawkeye persistence in registers

Not only does it create persistence in the registry, but we also find samples that establish persistence in tasks using commands like the following:

schtasks.exe /Create /TN “<Path><TaskName>” /XML “<File>”

After observing its behavior in the early stages, we delve deeper into the entire execution thread throughout the analysis phase with debugging. I’ve followed several samples, and they’re mostly similar—samples in .NET, sometimes obfuscated with tools like Confuser, Eaz, Reactor, or similar, which are relatively easy to deobfuscate.

public string u2FW, int num = u2Føø.Length; int num2 = u2Føø & 255; int u2Føø) chart) array = while (--num e) array C num) (char) —return // Token: axa4øøøøaA RID: la public static readonly Xu2Fß3. Xu2Føa Xu2Føø; // Token: axuøøøøaa RID: 11 private byte[] Xu2FßI; ((int)this. u2FøICnum2) u2Føø));

Hawkeye code obfuscated

In most samples, I noticed heavy interaction with resources, which will become crucial shortly since I observed a significant amount of data in these resources across most of the samples I found.

FindResource SizeofResource LoadResource IfirtualAllocEx

 Resources data content (Image 1)

ss 2€ ]соп ]соп Grou2 0000EFBz 0000EF>z 0000EFzz 0000EFEZ 0000Fooz 0000F02z 0000F04z 0000F0Ez 0000Fnz 0000Fozz 0000F0Ez 0000F10z 0000F12z 0000F14z од 24 21 42 91 Ез 23 92 64 67 24 43 22 92 64 67 25 53 Ез 22 зв 70 67 Ез вв 70 52 Ез 32 вв 70 Ез sc 32 вв 70 2€ 67 72 во вв 70 29 ss 67 35 33 вв 41 во дз 67 36 34 42 51 47 67 €2 34 42 52 70 24 29 зс 25 2€ yR@rZ ) з глллллллллллт 34 94 24 вв 23 27 вв 47 29 вв 21 52 33 вв 44 21 вз вв 53 20 вв 07 41 23 40 вв 24 дз вв 25 04 вв св 43 72 вв ЕЕ вв 42 29 вв 28 76 ЕВ сз Ез BVZSERIYUJGF+_) • ссссдддд±еее 3444тттт cddppppp ееееееееееее fggg XXXXL

Resources data content (Image 2)

In the malware’s initial phases, it looks for the running process (which will be the previously prepared copy), where it will check the PID to access the resources. Within these resources, we see two distinct types of code: the initial part, which acts as a key, and the data chunk, which is what will be deobfuscated. To achieve this, it uses XOR + Poly, and at the end of the process, it extracts a Portable Executable.

Load from rsrc - OUL; 1 _ fal - Classl _fa2 - 1 _fa3 - Classl _fa: - 1 _fa5 - 1 _ fas - _ G7 if Limit - int nw; stuk&rk, -1 Ill fir: QRexorVcz

Graph of binary load from resources

It can do this in various ways depending on the sample, but we see the same extraction of a binary from a resource as we do from obfuscated code in memory, like the example shown below.

O O O O O O O O O O m O O O O O O O O O O O O O O O O O O m O O O O O O O O O O O O O O O O O O O O O O O m O O O O O O O O O O O O O O m 0 0 m m 수』 최• m O O O 최• O O 수』 O O O O O O O O 최• 수』 O O O O O O O O m O O O 0 O 최• O O O O O m O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O 최• O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O 최• O 0 O O O O O O O O m O 0 O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O 0 O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O m O O O O O O O O O O 1, O O O O 최• O O O O O O O O O O O 최• O O O O O O O O O O O O O O 수』 O O O O O O O O O O O O O O O O O O O O O O 최• O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O 0 O O O O O O O O O O O O O O O O O O O O O O 0 O O O 0 O O O O O O O O O O O O O O O O O O O O O O O O 최• O O O O 규호三巨巨표즈흐E巨巨g巨亶亘: 騎프 형 영 O O O O O O O O 최• O O O O O O O O O O 0 m = 0 그

Graph of PE extraction from memory

The result of this phase is two extracted files—one will be the injector, and the other will be the Keylogger.

File extract Entry Point : File Offset : Linker Info : tile Siié: 0000F5EE 0000D9EE 8.00 0001220% 00 EP Section : First Bytes : Subsystem : FF 2500 20 40 Windovvs GUI 00004209 32 bit- Library RES/OVL : O / 22 % MS Visual ce / aasic.NET VB 2005 -DLL -EPToken : 00000000 , overli Lamer Info - Help Hint nu•pack info aig sec. 01 , [I*EXE PE found], Warning : NETRES 36.22KE,tr

Extracted Injector 

extract2 Properties Туре of Те 0esc6ption Sze оп disk [евк Fomms 800ter С [ JseB 04 КВ Desktop

Extracted Keylogger

I compared both files, and they’re entirely different, in size, in structure—the only common factor is that both are .NET binaries.

Binary comparison 

To highlight the difference between the injector dropped on disk (Right) and the one extracted from memory (Left), we can compare the extended content. We can observe how the memory-extracted injector includes imports related to injection that the disk version doesn’t (such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, etc.).

Extracted and dropped injector comparison 

indicators (imports > flag) virustctal (error) dos header (64 bytes) dos stub (64 bytes) rich-header (n/a) file-header (Intel-386) optional-header (GUI) directories (6) sections (3) libraries (mscoree.dll) innpcru (flag) NE-callback (n/a) .NET (stream) resources (2) strings (596) debug (Feb.2012) manifest (n/a) version (nvxdsync.exe) certificate (n/a) Overlay (n/a) imports (163) Memo Stream AesMana ed CryptoConfig CryptoStream CryptoStreamMode DESCwptoServiceProvider HashAI arithm ICwptoTransform RSACwptoServiceProvider RSAParameters SHAI CryptoServiceProvider SHAI Mana ed SHA256Mana ed SymmetricAIgorithm ResourceMana er Re ist K Process Assembly8uiIder Assembly8uiIderAccess ILGenerator Label Loca18uiIder Method8uiIder Module8uiIder O Code O Codes namespace (21) System .10 System. Security. Cryptograp... System. Security. Cryptograp... System. Security. Cryptograp... System.Security.Cryptcgrap... System. Security. Cryptograp... System. Security. Cryptograp... System. Security. Cryptograp... System.Security.Cryptcgrap... System. Security. Cryptograp... System. Security. Cryptograp... System. Security. Cryptograp... System.Security.Cryptcgrap... System. Security. Cryptograp... System. Security. Cryptograp... System. Resources Microsoft.Win32 Microsoft.Win32 System.Diagncstics System. Reflection. Emit System. Reflection. Emit System. Reflection. Emit System. Reflection. Emit System. Reflection. Emit System. Reflection. Emit System. Reflection. Emit System. Reflection. Emit System. Reflection. Emit flag (15) group (5) memory cryptography cryptography cryptography cryptography cryptography cryptography cryptography cryptography cryptography cryptography cryptography cryptography cryptography cryptography resource registry registry execution execution execution execution execution execution execution execution execution execution desktopextract indicators (file > embedded) virustctal (error) dos header (64 bytes) dos stub (64 bytes) rich-header (n/a) file-header (Intel-386) optional-header (GUI) directories (5) sections (file) libraries (p/invoke) innpcru (flag) expc.u a) „—O NE-callback (n/a) .NET 02050727) resources L) strings (1382) debug (Feb.2012) manifest (n/a) version (n/a) certificate (n/a) overlay (signature > unknown) imports (269) GetThreadContext WriteProcessMemo ReadProcessMemo VirtualProtectEx ZwUnma ViewOfSection SetFiIeAttributesA Createprocess SetThreadContext Processld FindResource SizeofResource LoadResource VirtualAIIocEx FileO en GetTem Path WriteAIIText WriteA118ytes CreateDirecto ResumeThread GetCurre

Extracted and dropped injector comparison

Here we can observe various functionalities while extracting the binaries, such as self-deletion. This is done to maintain evasion and avoid revealing its location, as it drops replicas of the original binary in various locations, as we saw earlier.

if (File. Exists(text)) Fi Ie . Copy (Proces s . . Mai nModuIe . Fi IeName , text) ;

 Self-deletion and self-copy of the original binary (Image 1)

Local Disk (C:) Users AppData Roaming library Name Share with New folder Date modified explorer.exe Microsoft Type Application Windows Templates Size 151 KB

Self-deletion and self-copy of the original binary (Image 2)

if true . Tostring(), false) Classl.Ccpiaza()

 Self-deletion and self-copy of the original binary (Image 3)

array expression (string[OxOOOOOOOA]

Self-deletion and self-copy of the original binary (Image 4)

One of the dropped files, the smaller one, acts as the injector. When extracted from memory, it has more functionalities than the one seen on disk. This is because the injection tasks are carried out during runtime, but the written file is actually a portion of this, triggering the main binary located in the temporary path. 

It checks persistence and restarts the entire process, including injection. Therefore, it’s a part of the file without revealing all of its functionalities. I’ll show you how it performs injection using Process Hollowing.

Process Injection target, secur ity_F Iags, secur Lty _F lags2, inher it, f Iags , system, , ci text 2, , startup_lnformation, procesă Information) ret u rn; rpf.H.r•II Headers nt_Headers default(rpf.H.NI Headers)• intPtr = new IntPtr-(n• + dos_Header.Address); obiect obj2 = Marshal. PtrToStr-ucture(intPtr, nt_Headers .6etType()); rpf .H.NT Header-s nt_Headers2; nt_Headers ((0bj2 nul l) ? ((rpf.H.nr _ Headerc)obj2) : nt_Headers2); startup_lnfcrmation . CB = Strings. context. F Iags 65538u; if Signature 17744UL dos_Header.nagic 23117) retur n; bool threadContext rpf .H.GetThreadContext(process process • process_lnfomation.process; address .Ebx IntPtr long num2; intPtr = (IntPtr-)num2; site • (TntPtr)4; int num3 e; int num4 = rpf .H. ReadPrccessMemcry(process, address, num2 = (long)intptr; Information . Thread, + 8UL)); ref context) ; ref intPtr, size, ref num3); oo oo OE 69 74 oo oo oo 04 oo oo oo sc oo oo oo oo oo oo oo oo oo oo 73 20 oo 10 40 oo oo oo oo oo oo oo oo oo oo oo 20 62 64 oo oo oo 01 oo 01 10 oo 01 oo 01 oo oo oo oo oo oo oo oo oo OE 70 oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo os oo oo oo oo 72 20 oo oo oo oo oo 10 oo oc oo oo oo oo oo oo oo oo oo 72 01 oo oo oo oo 04 10 oo oo oo oo oo oo oo oo oo oo oo oo 04 02 oo 40 oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo 72 oo 01 oo oo oo oo oo oo oo oo oo oo oo oo oo 04 40 oo oo 21 61 20 24 43 oo 04 oo oo oo oo oo oo oo oo oo oo oo oo oo oo 01 20 oo oo oo oo oo 40 oo oo 20 20 oo oo oo oo 01 20 oo BD 01 oo oo oo 10 oo 01 oo 01 oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo 61 44 oo oo oo oo oo oo 02 oo oo oo oo oo 74 oo oo oo 21 oo oo 20 02 oo oo 10 oo oo oo oo oo oo oo oo oo oo oo oo oo 01 oo oo oo 40 oo oo oo oo oo oo oo oo oo oo oo oo oo oo 20 oo oo oo oo oo oo oo oo oo oo oo oo oo oo oo program canno be run în DOS . . text. if (threadContext g e  rpf.H. (TntPtF)num2) OL) uint num5 = if ((uIong)num5 OUL) process2 process_lnfor.ation. Process; address2 = ( (ulong)num5)); Intet,- size2 = .OptionaI .SHeaders)); Int?tr- uint num6; num3 • (int)num6; rpf . H. WritePrccessMemcry(process2, address2, data, size2, out num3); num6 = (uint)num3; long num7 (long) (dos_Header.Address + 248); int num8 • e; int numg = Headers.FiIe.Sections - 1); fot- (int i = num8; i numg; ÎH) intPtr • + num7 + • 40)); rpf.H.Seczion Heade

Graph of the process injection

In essence, the injector doesn’t have much more functionality. It includes a phase where it checks running processes, which is an interesting technique to detect analysis tools or to determine if the process is already running. If not, it launches the process, adds it to the registry (as seen earlier), and restarts the execution.

public static roces GetPncesses (string machineName) bool flag = P n ager . Is Remotema chine (machineName) ; ProcessInfoC] processlnfos = : anage- . Getp-ccesslnfos (machineName) ; Process(] array = Process(prccesslnfcs. Length], for (int i = a; i < processlnfos. Processlnfo processlnfo = processInfosCi); array C i) new Process (machineName, flag, processlnfo. processld, return array; process Info) ;

Process collection routine (Image 1)

[1] [2] [3] [4] [5] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [24] [25] [26] System. Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System. Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System. Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System. Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System. Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System. Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System. Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo System.Diagnostics.P rocesslnfo

Process collection routine (Image 2)

array [1] [2] [3] [4] [5] [7] [8] [9] [10] [11] [12] [13] [14] [15] System. Diagnostics.P r ocessu0000032] {System Dia g nostics. Process (services)} {System.Diagnostics.Process (sqlserver)} {System.Diagnostlcs.Process (svchost)} {System.Diagnostics.Process (svchost)} {System Dia g nostics. Process (svchost)} {System.Diagnostics.Process (svchost)} {System.Diagnostlcs.Process (lgfpers)} {System.Diagnostics.Process (notepad)} {System Dia g nostics. Process (procdot)} {System.Diagnostics.Process (wmpnetwk)} {System.Diagnostlcs.Process (procexp64)} {System.Diagnostics.Process (smss)} {System Dia g nostics. Process (csrss)} {System.Diagnostics.Process (Ism)} {System.Diagnostlcs.Process (svchost)} {System Diagnostics. P rocess (V80xTray)}

Process collection routine (Image 3)

Lastly, we only have the second extraction left to observe, which is HawkEye itself. I’ve encountered many versions of it, as the modules included will vary significantly based on what the creator configures in the builder of the Keylogger itself. We’ll talk more about this later, but you can see all the functionalities that can be added during its creation, which will impact the modules incorporated into it.

KEYLOGGER Account Info Options Add To Startup Melt File Confirm Exec Keystroks C 10M Keylogs Clipboards Screenshots Disablers Delivery Stealers Chrome FireFox e Safari e IE (All) Opera Spreader Task Mgr. • MsConfig USB CMD Regedit Option #1 Minecraft Nimbuzz Outlook FileZiIIa Stea m SmartFTP Clear History o Option #2 Pidgin BTC PalTaIk J Downloader Much More... Dely Exe. Firefox Steam

Comparison between crack and extracted keylogger features (Image 1)

Debugger 002000008 Base Type and Interfaces Derived Types .ctoro: void @0600001D addtostartupO : void 006000039 string) : string 00600004C CallNextHcckEx(int, int, int, Debugger.KBDLLHOOKSTRUCT): int : void 006000048 DecompressString(string) : string 006000042 Decrypt(string, string) : string 006000040 string) : string 00600003A Disablero: void 006000044 : void @0600001E Fakemsg1nstallO : void 006000034 FoldersinstallO : void 006000033 ForceSteamLoginO : void 006000030 &.'entArgs): void 00600002F GetActiveWindowTitIeO : string 00600002A getAIgorithm(string): RijndaeIManaged 00600004E GetAntiVirusO : string 006000053 GetAsyncKeyState(int) : int 006000024 Get8etween(string, string, string) : string 006000052 : string 006000051 GetFirewallO : string 006000054 GetFcregrcundWindcwO : int 006000028 : string 006000050 GetWindcwText(int, ref string, int): int 006000029 : object 006000028 HookKeyboardO : void InitializeComponentO : void 00600001 F IsConnectedToInternetO: bool 006000032 : object 006000031 KeyboardCaIIback(int, int, ref Debugger.KBDLLHOOKSTRUCT): int t lineSetAppSpecific(Iong, long): long @06000026 MgmGetNextMfeStats(ref IntPtr, ref long, ref string, ref long): long : void 006000043 olddesdc(string, string) : string 006000038 readweb(string) : string 006000040 : void seekanddestroy(string) : void 00600004F SendLogsO : void 006000045 : void 006000046 SendLogsPHPO : void 006000049 Server1nstallO : void 006000035 SetWindowsHookEx(int, Debugger.KeyboardHookDeIegate, int, int): SpreadO : void 006000038 : void @0600003D stealMailO : void @0600003E stea[WebroswersO : void 00600003F unhidden(string) : void 006000037 unHideO : void 006000036 UnhookKeyboardO : void @0600002D UnhookWindcwsHcckEx(int) : int 006000022 UploadFTP(string) : void 006000048 UploadFTP(string, string) : void 006000047 UploadPHP(string, string) : void 00600004A WaitlJntiIFiIeIsAvaiIabIe(string) : void 006000041

Comparison between crack and extracted keylogger features (Image 2)

At this point, I conducted tests with several builders to verify this theory, as I had extracted multiple samples to the final phase, and almost none of them resembled each other too much. I tested by removing or adding options, and even with the same sample, there were significant differences, so you can imagine how different it can be if it’s not exactly the same version of the keylogger and different elements were selected during its creation.

Comparison between crack and extracted keylogger

At this stage, we just need to examine the payload’s functionalities. Upon first glance, we can see strings that reveal its nature—this sample didn’t expect anyone to reach this point, as it has three well-defined phases that conceal its tracks, but here we can see many indicators of what it is.

WEB Browser Password Stealer Keylog Records WEB Browser Password Stealer Internet Download Manager Stealer Mail Messenger Password Stealer Clipboard-Logger Enabled External IP Address: Installed Anti-Viru& Installed Firewall: Installed Language Internal IP Address: Keylogger Enabled  

Overview of the extracted HawkEye (Image 1)

{ } Debugger •4 Clipboard 00200000C Base Type and Interfaces Derived Types .ctoro: void @0600005E ChangeCIipboardChain(IntPtr, IntPtr) : bool 00600005A : void 006000062 : void 00600005F SendMessage(IntPtr, int, IntPtr, IntPtr): long 006000058 SetClipboardViewer(1ntPtI) : IntPtr 006000059 UninstallO : void 006000060 WndProc(ref void 006000061 Changed : Clipboard.ChangedEventHandIer 014000001 ID : Intptr 0040000CA ChangedEventHandIer 002000000 Debugger 002000008 RunPE@02000011 Base Type and Interfaces Derived Types .ctoro: void 006000072 CreatePrccessA(ref string, String8uiIder, IntPtr, IntPtr, bool, int, IntPt GetThreadContext(1ntPtr, uint[]): bool @0600007A NtlJnmapViewOfSection(IntPtr, IntPtr) : uint 006000079 : void 00600007C ReadProcessMemory(IntPtr, IntPtr, ref IntPtr, IntPtr, ref IntPtr) : bool int 006000077 SetThreadContext(1ntPtr, uint[]): bool 006000076 VirtualAIIocEx(IntPtr, IntPtr, IntPtr, int, int) : IntPtr 006000075 VirtualProtectEx(IntPtr, IntPtr, IntPtr, int, ref int): bool 006000074 WriteProcessMemory(IntPtr, IntPtr, byte[], IntPtr, ref IntPtr) : bool Cd

Overview of the extracted HawkEye (Image 2)

During the execution of this specific module, we can observe it invoking vbc.exe as it injects the payload into this process, using the same techniques we’ve previously seen.

Execution of HawkEye’s final stage (Image 1)

Execution of HawkEye’s final stage (Image 2)

RunPE 002000011 Base Type and Interfaces Derived Types .ctoro: void 006000072 CreatePrccessA(ref string, String8uiIder, IntPtr, IntPtr, GetThreadContext(1ntPtr, uint[]): bool @0600007A NtlJnmapViewOfSection(IntPtr, IntPtr) : uint 00600007! : void ReadProcessMemory(IntPtr, IntPtr, ref IntPtr, IntPtr, ref int 006000077 SetThreadContext(1ntPtr, uint[]): bool 006000076 VirtualAIIocEx(IntPtr, IntPtr, IntPtr, int, int) : IntPtr 0060 VirtualProtectEx(IntPtr, IntPtr, IntPtr, int, ref int): bool WriteProcessMemory(IntPtr, IntPtr, by-ten, IntPtr, ref Inl

Execution of HawkEye’s final stage (Image 3)

Regarding the modules it brings, I compared three different samples, and they are quite similar in terms of what they can do. The general functionalities that typically match include:

  • Keylogging (Monitoring and stealing keyboard and clipboard data)
  • System information gathering (OS, HW, Network)
  • Credential theft (Mail, FTP, browsers, video games, etc.)
  • Wallet theft
  • Screenshot capture
  • Security software detection
  • Analysis tools detection (Dbg, traffic, etc.)
  • Persistence (usually via registry keys or Tasks)
  • Information exfiltration through various methods (FTP, HTTP, SMTP, etc.)

Payload module diffing Type " d @C6coc058 void go«moac 2ddStrrup(stnng. • . void ao«'mo zocona.3 AntiBitoeftnde,o Wd pcsmmAs ; void AntiN00320 Wd PD5mcnAA void void : void gooymoA2 Type O Type r g) stnng gc«omsA "'ins "oom.'c scoooD2F : sococm30 G'. object void "ring); string : aounoas : void eo«ouo ..cid mhidsenetnng) void ORexorVcZ Type and Type void Ch.nged dCh' 0.1 uCOCOSC Z6cot091 void cosco:og.l : void in: toramos4 void ft%to Wd pcsmm87 ; oc«xno: Int) Wing. int) : int G' void void @C6coc07F : void *06000050 : ec%cocrg G'. coco:0'7E MeltMeo ,..ois stattChe&0: Wd pcsmmo st„mo achmmso void @C6coc08E vod aentArgs) mid 0. 0. Type amcaxno stoma) 5tnng 'tnng gcocm34 enc032F accoDC2A ecscoc024 : z,0écojos.1 ecooc028 ZoOco»oso : abject ret Debugg«.• • ' void void so«m049 vou pcsc«n38 vou@C6coc03F void acso:c022

Graph of payload module diffing

Calling HawkEye a keylogger is really an oversimplification, as it performs more functions than many stealers I’ve seen. Once injected into vbc.exe or other processes, it carries out various actions mentioned above.

• ere Payload Functionality graphics2 - graphics; Login 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2232 4180 Oose Fie OzyQa-d&dI . _ C: uses Create File Read Fie Read Re LWock Flee-de Læk LW•ck FJeWe OJeryNewotk. Oose Fie Create File Queryqar-dardl C: tJses' LWock Fie Create File Create File Cre*e File c: • .uws' 21 acre;teRe KLM 'Co M 44E8 Local IG0ßIe Local IG0ßIe ChromelJs« Local GowIe vChromelJs« LocaliGoogIe Local IG0ßIe Local IGowIe Local Gowle ChromelJs« 00 Local IG0ßIe XChromeLJs« Local Gowle ChromelJs« Local Local Google Local G0ßIe ChromeLJs« Local Gowle ChromelJs« 00 ChromelJser 00 Local Local KChromeUser Preload Web Local Gowle Chrome', I -'ser KLocaIGowIe User DMaXPepperFash Dee User 32 32 32 graphics Graphics xxux string ( ) .noinmodulc.ease g.co exe 456 458 wrteF1e 4SG Wrttcac wnteF1e 456 WrteHe 456 2d12 2412 2412 2412 2412 2412 2412 2412 2d12 32 32 32 32 32 32 32 32 32 32 4130 41 go 4120 D min; 02 04 min; d 8 •st LECT string text foreach (Man ütch Local Disk(c:) users re with C : XLVB c:'JJ—, Slide Asp O upp O 3geg Opp O 'peg Opp O 'peg peg screens Nu folde «remshctl,jpeg s U & n shot2,Jpeg "SELECT agætSas&ject Ln this catch (Exception ex) @Rexor vcø

Graph of HawkEye functionality

Outro

As we discussed earlier, different groups have used this keylogger, as well as independent criminals or even script kiddies. In my research, I found different places where this keylogger was sold—there were up to 4-5 different sites, as it changed developers and domains over time, which is quite common.

HawkEye Products Terms Of Services 1. ACCEPTANCE OF TERMS Email US: The Next Generation Tools admin@hawkeyeproducts.com Hawkeye Products provides its services to you subject to the following Terms of Service ("TOS"), which may be updated by us from time to time without notice to you. You can review the most current version of the TOS at any time at: Terms of Service. In addition, when using particular Hawkeye Products owned or operated services, you and HawkEye Products shall be subject to any posted guidelines or rules applicable to such services, which may be posted from time to time. All such guidelines or rules are hereby incorporated by reference into the TOS. Hawkeye Products may also offer other services that are governed by different Terms of Service. 2. DESCRIPTION OF SERVICE Hawkeye Products offers access to a collection of various communications tools, forums, personalized content and branded programming through its network of properties, which may be accessed through any various medium or device now known or hereafter developed (the "Service"). You also understand and agree that our setvices may include advertisements and that these advertisements are necessary for Hawkeye Products to provide our services. You also understand and agree that our services may include certain communications from Hawkeye Products, such as service announcements, administrative messages and the HawkEye Products Newsletter, and that these communications are considered part of Hawkeye Products membership and you will not be able to opt out of receiving them. Unless explicitly stated otherwise, any new features that augment or enhance the current Service, including the release of new Hawkeye Products properties, shall be subject to the TOS. You understand and agree that our services are provided "AS-IS" and that HawkEye Products assumes no responsibility for the timeliness, deletion, mis-delivery or failure to store any user communications or personalization settings. You are responsible for obtaining access to our services, and that access may involve third-party fees (such as Internet service provider or airtime charges). You are responsible for those fees, including those fees associated with the display or delivery of advertisements. In addition, you must provide and are responsible for all

HawkEye webpage

Bnpycbl Ha nK Tenet0H 29 Feb. j —t HawkEye Keylogger Cracked.rar c u„wp0K'4M •y*KLW0Hanov a03M0*HOCTRMM_ Tao«e 06naaaeT crunnepa. LIJKana onacHocTH 7/10 ace E uennx HawkEye Keylogger Crxked 2020 • Computer name • Installed antivirus and firewall products • Internal and external IP addresses • OS Hawkeye Can also Set to terminate F,N09ramS to evade detection and remtwal: • Command Prompt • Registry Editor Systern Configuration • Task Manager TO passwords email and executes NirSolt as Mail PassVQw [Jl and WebBrowserPassView [41. It also has other notable features such as • Deletes cookies • Denies access to certain websites • Displays an message execution • Downloads and executes files • Forces computers to log in to Steam* • Retrieves rnost recent Minecratt bg-in file • Spreads Via removable drive • Steals gitcoin wallets Download Link 1 Download Link 2 HawkEye Keyloggev Cracked -Hacking Toal- HawkFye Keyloggev takes operating system monitoting the next level. Not only it '.vhdt the use' typed it also steals Gther inlownation such as sd'.e•d passwcvds in may have been fotgotten P:oduct is ccrnpletely Clacked and you don need 10 pay sufr;aiption and Unh,' NOT F: ACL MATERIAL, SOFTWARE. TUTORIALS ARF STRICTLV FOR: ACADEMIC, RFSFARCH, FOUCATIONAI and TRAINING - WF OO NOT CONDONE ACTIVITIES VOU Will RFCFIVF yr,uR ORDFR 74 HOURS IF HAVF ANV ISSIJF m FASF Ta voll Rorr-:rt anv dead links to me! will hr leaving a positive rating on this order. • If satisfied with my Truicos please consider adding me as a favorite • Your good/positive feedback if, much appreciated and necessary to maintain cur service • Remember give feedback and request 'jour bonus! ALL MATERIAL. SOFTWARE, TUTORIALS ARE STRICTLY FOR: ACADEMIC, RESEARCH, EDUCATIONAL and TRAINING ONLY - WC DO NOT CONDONE ILLEGAL ACTIVITIES NOR SUPPORT THOSE THAT APPEAR TO posc A THREAT TO NATIONAL SECURITY WHERE I ANC TO THE YOU IIAVC ANY ISSUE PLEASE MESSAGE ME PLEASE PLACE YOUR AND WILL PROVIDE IT Ta you FROM MY RESOURCES

HawkEye product sales

It’s always important with these kinds of tools to locate the original software in different versions to understand how it works from both the victim’s and the attacker’s perspectives, so we can get a complete view of the malware.

Here, we can see that the builder provides a multitude of configuration options, allowing us to choose where to send the stolen information (email, FTP, etc.), what we want to collect (browser info, FTP credentials, mail, etc.), whether to check for certain tools, establish persistence, delete data, download from a domain (this could function as a downloader for other malware), change the payload data to make it appear like legitimate software (e.g., changing the icon, description, etc.). As you can see, it’s incredibly comprehensive. After compiling, we’ll have our complete Keylogger, Stealer, or Downloader (call it what you will, as it does everything) ready to use.

Account Info Hawkeye builder et4WKE!E 10M KEYLOGGER De livery Option Host: username: Password: Option ftp.yourhost.com YourUsernsme kcount Info Options Delivery Stealers Opton Email: Server: mdom@proton. SSL Show smtp.gmaiLcom Add To Startup Chrome Link: http:/,ewwn.site.com.'logs_php Melt File Confirm Exec. Keyfogs Clipboards Screenshots Viregox Safari e IE(AII) O Opera AIM Option Minecraft Nimbuzz Outlook VileZiIIa Steam Smart FTP Option Pidg n PalTaIk Much More... Dely Exe. Option O KiloBytes (KB) Delivery Multi Binder site slocker Option Assembly Changer Description: Company. Product: Copyright: Trademark: Option Option Option Add File(s) Delete File(s) Clear File(s) Add Site(s) Delete Site(s) Duration Delivery Elme Interva': Option Show Website M uh Downloader In Minutes option 6} Checking Will be tor future us Remember Me For Future Spreader Clear History Chrome Task Mgr. MsConfg LIS3 CMD option Option Add Site(s) Delete Site(s) Add Link(s) Delete Link(s) Clear Link(s) Option Icon Charger Option Fake Error Message Message Test Message jpg, scr, mpeg etc Option File Pumper Pump: Option File Cloner Word Access T. Viewer FireFox WinRAR Adobe p. point Opera Chrome WinZip ps CC Randomize KEYLOGGER News Feed Option 1. ACCEPTANCE OF TERMS Hawkeye products provides its services to you subject to the following Terms Of Service ('TOSO Bhich may be updated by us from time to time Bthout notice to you. You can review the most current version of the TOS at any time at: Terms of Ser•ice. In addition, "hen using particular HawkEye Products ouned or operated services, you and HankEye Products shall be subject to any posted guidelines or rules applicable to such services, •hich may be posted from time to time. All such guidelines or rules are hereby incorporated by reference into the TOS. HawkEye Products may also offer other services that are governed by different Terms of Service. 2. DESCRIPTION OF agreed The TOS? Build x @Rexorvca

Graph of HawkEye builder

I don’t want to repeat myself too much, but when comparing the versions we’ve seen and extracted with the ones we created ourselves, they function exactly the same—same injections, persistence, data theft (or whatever was chosen in the builder). Therefore, in telemetry, we won’t find any surprises, as you can see below.

Hawkeye builder execution *Ows exe vbc exe Tkye exe — "kye exe ÜHkye exe Tkye exe —Pkye exe ÜHkye exe ÜHkye exe Tkye exe — Hkye exe < 0.01 21.552K 4791 38.444K 3276 •createFie 3276 3276 Closeæ 3276 *CreateFie 3276 Createae C:xuser 3276 QueryktrbuteT... 3276 *CloseFie 3276 createFie 3276 Query•mdardl , C user 3276 *QueryBasicInfor.. 3276 * Query*ream Inf 3276 3276 QueryEaHom 3276 22.344 K 33.020 K 3.872 K 3316 Phulli 3316 Ph_• 3816 Basic . wcroscft Corpa-*ion Data hfo Oat a sys o bd Oat a Info Data Roaming Wrdows Lbd*e.exe o p exe Deskt o p u-kye exe Deskt o p exe Desktop exe exe Desk o p KG--kye exe Desktop exe Desktop exe Deskt o p exe Upd*eexe Local Disk (C:) Users bray Share with Name Windowsupdate.exe Windows Update,exe pidIoc.M New folder AppData Roaming Date modified Application Application Text Document Text Document pidloc.txt - File Edit Z: user: File Edit P316 Format Format View Help ngvcindows update. exe Help • ' VOC. exe i7vbc.exe • VOC. exe vbcexe • ' vtcexe i7vbc.exe • 'vbcexe • ' v±exe i-¯' vbc exe • exe i7vbc.exe •abc, exe • ' vtcexe exe 3816 *Queryffrectoty 3816 aoseFi1e 3816 CreateRe 3816 *Query Director,' 3816 * Quer,'Director,' 3816 CreateFje 3816 Query Directory 3816 3816 CreateFi1e 3816 Query Ch•ætoty 3816 3816 Quer,'Directory 3816 aoseFi1e 3816 *QueryDirectoty 3816 3816 CreateFJe 3816 Query Chrectoty 3816 3816 ReadFi1e 3816 Mail oeaccount Mail BackL.p &pData Mail Mail Back-p Mail BackLDnew &pData Mail Mail Backupnew Mail Mail •c. Data Mail XBackupnew uocdMicroscQWindows &pData Mail Backup &pData Mail Mail Mail 'Stunery Mail • voc exe i%vbc.exe • voc exe • v•bcexa vbcexe • voc exe • voc exe • voc exe i%vbc.exe • vbcexe i7vbcexe • voc exe • v•bcexe • voc exe • voc exe exe 3848 *Create File 3848 Create* 3848 Create File 3848 *Create File 3848 createF,1e 3848 CreateFile 3848 *Create File 3848 3848 Create File 3848 Create File 3848 3848 Readfile 3848 3848 3848 createF,1e 3848 CreateFile 3848 Create File 3848 * Create File 3848 Crate File 3848 Create File 3848 *Create File Create ale o zi/a.ProfiI App a R o App o -App Zilla .Aop RO o zNaFrefoxWcfies ini App MorkeyP App Dea KLocaIMoziIIa 'Sea Monkey.proflles .App Ro zaa.Sea Morkeypnzfiles emme Lisa Data ' vbc ' vbc exe VbC vbc exe C: K,lJseß C : Users VbC emme Data vbc exe Data I _lse Data '-LocalGoogIe Data 4468 a RegOpenKey 4468 aRegQueyKey 4468 4468 Reg QueryKey 4468 4468 Reg QueyKey 4468 RagOp«Key HCIJ %couN HKCIJ Manage-Vccourts HCU HKCU H C J I de—tOCRL Use

Graph of HawkEye builded execution

After analyzing all of this, I hope you are as impressed as I am by the sheer versatility and longevity HawkEye has displayed over the decades. It’s truly a tremendously powerful and easy-to-use tool that, unfortunately, we will continue to see in security incidents from actors of all types.

 

 

The post HawkEye Malware: Technical Analysis appeared first on Cybersecurity Insiders.


November 29, 2024 at 11:18AM

Ransomware spreading through Microsoft Teams

Black Basta ransomware, a notorious cybercrime group, has recently resurfaced in the news for its new and alarming method of spreading file-encrypting malware through Microsoft Teams. Teams, a widely used messaging and collaboration app, has become a target for this group, which typically operates within the technology, finance, and public sector industries.

This tactic was first observed in October 2024, and it marks a shift in the group’s approach to deploying malware. Black Basta, active since April 2022, has previously relied on spam and social engineering techniques to spread its malicious software. However, the group has now adopted a more deceptive method—posing as legitimate IT support personnel to interact with Teams users. By pretending to be a help desk operator or even a colleague requesting credentials for an urgent network login, the attackers trick victims into revealing sensitive login information, which is then used to infiltrate the network and deploy file-encrypting malware.

This new strategy represents a departure from older methods, such as phone calls to gather personal details. Instead, cybercriminals are now impersonating IT professionals or senior managers to steal credentials and install remote access tools.

Why Target Microsoft Teams?

The choice of Microsoft Teams as a target is strategic. The software is a staple for internal communication in corporate environments worldwide. Teams users often overlook the authenticity of incoming messages, particularly since the app is trusted within professional settings. As a result, some employees may unwittingly respond to malicious requests or follow instructions without verifying the source.

The Shift from Email Phishing

In 2023, Black Basta was also linked to email phishing campaigns that involved sending emails with embedded links directing recipients to malicious websites. These sites were designed to harvest sensitive information and deliver malware payloads.

Microsoft’s Advice

Microsoft has issued guidance for users to be cautious of suspicious messages, particularly those requesting sensitive information or financial transactions. If a message in Teams appears to ask for credentials or money transfers, users are advised to verify the sender’s identity through other channels, such as phone calls or email, before complying with the request.

Additionally, users should avoid clicking on any links from unknown senders, especially those impersonating IT staff or support personnel, as these can lead to phishing attacks.

The post Ransomware spreading through Microsoft Teams appeared first on Cybersecurity Insiders.


November 29, 2024 at 10:47AM

Protecting Against Inevitable Insider Threats

The seven pillars of the Department of Defense (DOD) Zero Trust Reference Architecture provide a comprehensive framework for securing today’s organizations. However, the data layer – arguably the most critical and foundational pillar – remains insufficiently addressed. This gap is evident in the persistent and increasingly detrimental cyberattacks targeting sensitive data across all industries, underscoring the urgent need for a more robust and actionable approach to data-level security within the Zero Trust model.

It’s important to clearly delineate an insider threat. It’s something that’s initiated from within – whether it’s purposeful or not. Insider threats differ from other security concerns because they’re inevitable. Insider threats are going to wield themselves. This makes swift detection, immediate isolation of the offending individual, and rapid restoration of compromised files critical to minimizing damage. Below are the most significant insider threats to corporate data. Each poses unique risks that can lead to severe financial, operational and reputational damage:

  • Ransomware – Malicious software that blocks access to data by encrypting it and demanding a ransom for access to the unique decryption key.
  • Data Exfiltration (Theft or Unauthorized Removal) – Stealing sensitive data such as trade secrets, intellectual property, customer records or financial information.
  • Data Manipulation or Sabotage – Altering, corrupting or deleting corporate data to disrupt operations or harm the organization.
  • Unauthorized Data Access and Usage – Insiders access sensitive corporate data without a legitimate purpose or authorization.

Many people may not perceive threats like ransomware as an “insider” threat since it’s often initiated by an external attacker. However, ransomware requires the action of an insider – such as an unsuspecting employee clicking on a phishing email, downloading a malicious attachment, or visiting a compromised website – to infiltrate the environment. Once introduced, the ransomware spreads, encrypting files and potentially exfiltrating data, ultimately causing a significant data breach.

While not gaining the same level of attention, the theft of intellectual property (IP) is just as significant as ransomware and, arguably, more costly to corporations in terms of both financial loss and reputational damage. A prominent example occurred in 2016 when it was reported that an engineer at Google’s self-driving car division, downloaded approximately 14,000 confidential files before resigning and starting his own self-driving truck company. 

Such cases underscore a broader trend: according to a 2015 survey by Biscom, 87% of employees who left a job admitted to taking data they had created, believing it was their own property. Shockingly, 59% felt justified in taking the data, and 77% believed it would be helpful in their new roles. This highlights a critical reality for organizations – the question isn’t if your corporate data assets will be taken, but when. As companies increasingly depend on data for a competitive advantage, the need for robust data protection strategies has never been greater.

That’s one of the core elements of insider threat protection – the ability to immediately return an environment to its state before an attack so that no data is compromised. It’s this combination of the ability to notice unusual user behavior AND protect the data layer that is the ultimate need. 

A Comprehensive, Cohesive Protection Approach 

Insider threats pose a significant danger to corporate data assets, but the key to mitigating their impact lies in accepting the reality that an insider attack is truly inevitable. Addressing this reality requires a comprehensive, cohesive protection approach that emphasizes real-time detection, isolation and recovery.

Real-Time Detection

The quicker an attack is detected, the less damage it can inflict on a business. Insider threats, however, require tailored detection methods due to their unique nature. A robust detection strategy must include:

  • Identifying Ransomware Early: Detecting ransomware at the very moment it attempts to encrypt data, before any files are affected, is critical. Early detection can prevent catastrophic data loss.
  • Behavioral Tracking with Multi-Factor Analytics: Monitoring user behavior, particularly file actions, is essential. Multi-factor analytics can identify when user behavior deviates from the norm, signaling a potential threat.
  • AI-Powered Content Identification: Leveraging AI to tag critical and sensitive content digitally ensures that only authorized users can access it. Unauthorized attempts should be blocked in real time.
  • Controlling External Storage: Preventing data exfiltration by shutting down external storage options, such as USB drives, web storage accounts and email attachments, for controlled content, is a vital layer of defense.

These real-time detection mechanisms minimize the window of opportunity for attackers, reducing their potential impact.

Isolation of Threats

Once an insider attack is detected, immediate automated actions are necessary to mitigate further damage. The suspected user must be isolated from all network file access, preventing them from causing further harm. Simultaneously, security personnel must be alerted to investigate and address the situation. While many security solutions on the market generate alerts for potential security issues, they often overwhelm teams with alert fatigue due to false positives. To overcome this challenge, solutions must integrate multi-factor detection, significantly reducing false alarms and enabling security teams to focus on real threats.

Seamless Recovery

After containing the attack, recovering any compromised files is the final step. Traditional backup systems offer protection only up to a specific point in time, often leaving vast gaps in recoverability depending on their configuration. In such cases, organizations risk losing critical content or facing prolonged downtime as teams painstakingly analyze logs to identify affected files and manually restore them from backups. An innovative approach to this hurdle includes real-time roll-back of affected files alongside detection and isolation systems. By simply reverting files back to their pre-attack state, cybersecurity teams are eliminating the need for extensive log analysis or manual restoration efforts, ensuring rapid recovery and minimal operational disruption – a win-win approach welcomed by IT teams and their C-suites.

The post Protecting Against Inevitable Insider Threats appeared first on Cybersecurity Insiders.


November 29, 2024 at 08:36AM