March 11, 2018 malware spam campaign via email targeting Italy: HawkEye Reborn v8

TG Soft's C.R.A.M. (Anti-Malware Research Center) examined an email campaign spreading the HawkEye keylogger on March 11, 2018.

Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.

If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails

INDEX

==> HawkEye Sending Campaign

==> How to identify a fake email

==> How to send suspicious emails

==> Integrate protection with Vir.IT Lite

==> For Vir.IT eXplorer PRO users..

"HawkEye" malware campaign.

Malware family: HawkEye Keylogger - Reborn v8
VirIT: Trojan.Win32.HawkEye.AA

Description:
The email campaign began on March 11, 2018

Subject: CLIFTON Service Co., Ltd

Dear <email>,

CLIFTON Service Co., Ltd sent you this email message with the following file attachments:

- Purchase-order QWP0YI3A1742013.zip (647.3 KB)

Comment: Good Day
Please find our attached sample for your quotation and send acknowledgement by return asap.
we hope to build a long term business relationship with your
respective company therefore, your cooperation will
be much appreciated. Please do not hesitate to contact me if you need
any further information.

Best regards
CLIFTON Service Co., Ltd
P.O Box 9 Al-Khobar 31952, Saudi Arabia
Tel : 966 (13) 8570811 Ext. 102
Fax: 966 (13) 8570801 Ext. 107
Mob: 966 564669920

How it spreads:

The message has the subject line "CLIFTON Service Co., Ltd" and in the body is indicated an attached file named "Purchase-order QWP0YI3A1742013.zip" .
The "Purchase-order QWP0YI3A1742013.zip" malicious attachment is a zip file that contains an executable file "Purchase-order QWP0YI3A1742013.exe."

Name: Purchase-order QWP0YI3A1742013.zip
Size: 662.803 byte
MD5: EF1BCB570A3CEC4D2D37A6FEBC39BC33

Name: Purchase-order QWP0YI3A1742013.exe
Size 1.072.128 byte
MD5: 24CA0BFB55768F9B21C686470E95E9EE
Compilation date: 23/04/1992 18.34.16
Compiler: Delphi

If the file "Purchase-order QWP0YI3A1742013.exe" is run, the keylogger HawkEye is put into automatic execution by copying the "c.vbs" file in the "Automatic Execution" menu:

C:\Users\<utente>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c.vbs

The "c.vbs" file executes the HawkEye keylogger at startup:

Set oAcstNwtJCqIhu = CreaTeobJeCt("WScript.ShEll")
OacsTNWTJCqihU.run """C:\<path>\Purchase-order QWP0YI3A1742013.exe"""

The HawkEye keylogger can exfiltrate data such as passwords stored in the browser, information saved in the clipboard, every key pressed, and capture screenshots of the infected machine.
The information collected by the keyloggerHawkEye (Trojan.Win32.HawkEye.AA) are sent to the email address: sadm1nsup@yandex.com

Logs are sent with these subjects:

HawkEye Keylogger - Reborn v8 - Password Logs - [pc name ]
HawkEye Keylogger - Reborn v8 - PCInfo Logs - [pc name]
HawkEye Keylogger - Reborn v8 - Keyboard Logs - [pc name]
HawkEye Keylogger - Reborn v8 - Clipboard Logs - [pc name]

Note:

The malware downloaded is part of the HawkEye family, it is a commercial version and its peculiarities are to steal access passwords to important sites such as may be home banking, mail, ftp etc.

IOC:

File MD5:
EF1BCB570A3CEC4D2D37A6FEBC39BC33
24CA0BFB55768F9B21C686470E95E9EE

Email:
sadm1nsup@yandex.com

Smtp contattati:
smtp.yandex.com

How to identify a fake email

Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.

How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts

Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:

Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
sSave the e-mail to be sent to the TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files(http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,

Vir.IT eXplorer Lite has the following special features:

freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Centro Ricerche Anti-Malware di TG Soft for further analysis to update Vir.It eXplorer PRO;
Through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M.
Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.

C.R.A.M.
TG Soft's Anti-Malware Research Center

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”