A new data-stealing malware dubbed HawkEye is now being increasingly used by hackers in multiple new phishing campaigns. Security experts said that the distribution of the malware increased after it was put on sale on a "public-facing website."
The most recent HawkEye campaign saw hackers sending out phishing emails designed to trick users into opening the malicious attachment, which the hackers customised to ensure that victims believed it was related to a recent invoice or transaction. The malware is also designed to steal email passwords and web browsers.
"HawkEye is a versatile Trojan used by diverse actors for multiple purposes. The malware has been sold through a public-facing website, which has allowed many different operators to use it," FireEye researchers said.
HawkEye also comes with keylogger and screenshot taking features. The malware sends data such as server name, OS, installed language and more to its C&C server. Alarmingly, HawkEye is also capable of spreading via USB and can steal Bitcoin wallets as well.
According to FireEye researchers, in this particular campaign, the HawkEye malware contains encrypted resources sections that allowed the attackers to steal more data. However, the hackers behind this campaign don't appear to be specifically targeting any businesses or a particular region.
"As is often the case with commercial Trojans, HawkEye offers a variety of functions for stealing stored data, grabbing form data, self-spreading, and performing other functions," FireEye researchers said. "Consequently, HawkEye may facilitate a number of different exploitative operations in compromised environments, and can be used by actors with a wide range of motivations."
"Some notable threat operations where we have previously reported HawkEye use include business email compromise campaigns, phishing against Middle Eastern organizations, and prolific spam operations," FireEye researchers added. "The threat landscape is continiously evolving, and we expect to see more new tricks and tactics being used by the actors using this malware family."