A recent wave of attacks with HawkEye malware sends data that has been stolen from the victims to another keylogger provider's website.
On May 21, My Online Security came across a new copy of HawkEye. The actual delivery mechanism itself was not unique in comparison with earlier attacks with malware. In this specific case, the attack mail used the bait of a fake payment greeting to trick recipients into opening a wrongly arranged RTF file / Microsoft Word document. These attachments contain a macromancript or embedded OLE object that is designed to infect the user with the malware.
By analyzing this infection chain, My Online Security found that the RTF document contacted https: // bit (dot) ly / 2WRVGFr, a site redirected to https: // filesend (dot) go / ton (dot) edee for download the threat. This effort revealed that the attack had recorded 124 clicks since it went live on May 20, 2019.
My online security then used the Anyrun online sandbox to select the network connections tab and inspect the SMTP port 587 entry gator3285.hostgator.com. If this was done, it turned out that the email address for sending and receiving all the stolen data from the HawkEye sample was firstname.lastname@example.org.
It is this discovery that has caught the interest of My Online Security. As explained in his blog post:
This is where it becomes more interesting than normal because spytector.com is a website with an "undetectable" keylogger and info stealer. I have no way of knowing if the e-mail address is a compromised e-mail address, which is very common for Hawkeye campaigns, which would be very poetic for a keylogger supplier. Hawkeye has to steal more if the sellers of Spytector are not doing so well and need an additional source of income.
No user wants to fall victim to a keylogger campaign that sends their stolen data to another keylogger site. In that regard, users must protect themselves by not enabling macros or editing in a Microsoft Office attachment for any reason. They also need to familiarize themselves with some of the most common phishing attacks currently in circulation.