Attackers use Equation Editor to spread Hawkeye Keylogger
Recently a keylogger campaign took an advantage of an old Microsoft Office Equation Editor weakness to steal user sensitive information, passwords and clipboard content.
According to Quick Heal report, hackers made use of Rich Text Format (RTF) files to spread the keylogger malware named Hawkeye. These RTF files were either isolated or came along with PDF files, i.e. were built into PDFs with DOC extensions.
Phishing emails were the main tool to take root into devices of certain individuals and enterprises. Thus, the campaign decided upon a less popular way to affect - the Microsoft Office Equation Editor. The so-called “Hawkeye v8 Reborn” exploit CVE-2017-11882 that is the main reason of stack buffer overflow in Equation Editor, uses a dynamically-sized string of FONT name. If everything goes off without a hitch, hackers will be able to execute arbitrary code and spread payloads.
Current Version of Hawkeye Keylogger Makes Extra Features Available
Obfuscation and evasion are the main things for Hawkeye to succeed. The Equation Editor is the first thing to begin with: Microsoft detected such attempts in November, 2017, but still there are numerous unfixed versions specialists have to deal with.
Besides, the Hawkeye keylogger manages to remain undetected by executing compiling code and downloading its payload in memory in spite of writing it to disk. So, the majority of security specialists fail to detect this threat.
After installation of the keylogger payload, cybercriminals get access to numerous functions, including File Transfer Protocol (FTP) copying, mail credential stealing and clipboard capture. The malware also uses antidebugging with SuppressIldasm and ConfuserEx 1.0, as well as legitimate tools such as MailPassView and BrowserPassView to hack passwords. Moreover, antivirus tools, task manager, command prompt and registry, the restoration service rstrui.exe are disabled by Hawkeye in order to avoid file restore.
Preventive Measures Against Hawkeye’s Attacks
Companies are recommended to start with patching to avoid destructive consequences after keylogger campaigns and similar malspam attacks (malware that is delivered via email messages). It’s all about the Pareto Principle: 20% of security matters trigger about 80% of security concerns.
Security experts also recommend implementing multilayered malspam defense, including email filtering, endpoint protection and system hardening. Given the ability of determined attackers to bypass these measures, however, it’s also a good idea to deploy automated incident response (IR) processes capable of analyzing emails, extracting indicators of compromise (IoCs), and updating all filtering devices and services with this information.
The multilayered malspam protection is highly recommended by security professionals. Email filtering, endpoint protection and system hardening are also essential for your system to remain safe and secure. Taking into account the opportunity of attackers to bypass these measures, deployment of automated incident response (IR) processes with ability to analyze emails, extracting indicators of compromise (IoCs), and updating of all filtering devices and services wouldn’t be out of place.