Cyberbit website use cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy. Continue
  • All Blogs
Hawkeye Malware Cyberbit EDR Analysis

Hawkeye Malware Analysis

Tomer Hevlin | May 19, 2019

What is Hawkeye Malware?

Hawkeye malware is a credential-stealing malware that is sold as a software-as-a-service. It uses keylogging to target the endpoint and a free tool, contained in an encrypted resource section of the binary to extract sensitive login data from web browsers. Hawkeye is a file-less attack that can often evade signature-based detection products.

Hawkeye Malware Analysis Video

This video provides a deep analysis of Hawkeye malware. It uses Cyberbit EDR – endpoint detection and response behavioral analysis capabilities to demonstrate how Hawkeye malware can be detected and a step-by-step analysis of how the attack is executed. Full transcript below.

Hawkeye Malware Analysis – video transcript

Download Free Whitepaper: Cyberbit EDR Kernel-Based Endpoint Detection vs. Whitelisting

Hi, this video will provide a deep analysis of Hawkeye, a credential-stealing malware, being sold as malware-as-a-service. We will provide this analysis using Cyberbit EDR – endpoint detection and response platform. HawkEye is a file-less attack. Therefore, it often evades signature-based detection products. By using Cyberbit’s behavioral analysis we will detect it and demonstrate how an entire attack is executed. 

This is Cyberbit’s behavioral graph view. This graph was created after detecting and analyzing a potential Hawkeye attack. Red nodes indicate suspicious behaviors, like this code injection.

Hawkeye malware works by using keylogging on the target endpoint and uses a free tool, which is contained in an encrypted resource section of the binary, to extract sensitive login data from web browsers.

First, the malware attempts to schedule a Windows task, so it will execute each time the user logs in, this way it achieves persistence. EDR has detected this suspicious behavior.
We will now click on this behavior to dive deeper.

We can see that the scheduled task was configured by an XML file, which is posing as a temp file “tmpDD82.tmp”. This XML file contains the configuration details, allowing to schedule the Windows task.

This activity looks suspicious, so we will now dive deeper into the raw event data, related to the Hawkeye executable that triggered this behavior.

We can also see all the files that were used by the malicious file during the initial phase of the attack, for example, we can see that it accessed many files such as; sysmain.sdb

Here, we have identified the malware performing 2 suspicious operations: It creates a reg ASM process – reg ASM is an assembly registration tool, which is a legitimate Windows subsystem process. Next, it injects malicious code into this process by using the “Set Thread Context” technique.

Running the malicious code as part of a legitimate process is a stealthy way for the malware to look legitimate and bypass whitelist applications, as well as unskilled analysts.

The reg ASM executable now uses Reflective DLL Loading, to load an external library without having to store it on the hard drive. This is a file-less approach, intended to reduce the malware’s footprint. Cyberbit EDR also allows the analyst to fetch the memory dump of the process to analyze the injected executable using 3rd party tools.

The executable now enables keylogging on the machine. The keylogging technique uses a SetWindowHookEx API in order to receive any key pressed and store it and later send it to a Command & Control server.

After enabling keylogging, Hawkeye performs additional actions to steal passwords. Here we can see that it injected code into vbc.exe Vbc.exe is a signed Windows executable that works with dot NET framework. Once again, the malware uses code injection to run as part of a legitimate Windows process and evade security tools.

Hawkeye now uses 2 injection techniques: Set thread context and Process hollowing.
Process hollowing is an interesting technique that loads a foreign process to memory in suspended mode, replaces the code of the process in memory with malicious code, and then resumes it.

The compromised VBC then performs 2 malicious actions, aimed at stealing data, such as passwords, from web browsers:

  • It accesses Lsaas– the Windows Authentication Service responsible for storing and handling all Windows authentication data. In this case, the malware steals NTLM credentials, which can later be reused for techniques such as “pass the hash” in order to log in to additional computers and perform lateral movement.
  • It accesses sensitive files – In this case Chrome login data. Chrome stores all credentials in this file. Surprisingly, Chrome only obfuscates the data but does not encrypt it. Therefore the Hawkeye malware can easily extract passwords as plain text.

Download Free Whitepaper: Cyberbit EDR Kernel-Based Endpoint Detection vs. Whitelisting