Malware News HawkEye Keylogger Users Employ Hacked Emails Accounts to Receive Stolen Data

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Crooks using the HawkEye keylogger are employing hacked email accounts to reroute data stolen from infected systems to the attacker's email address.

Security researchers from Trustwave have discovered a spam email campaign delivering malicious RTF documents masquerading as Word files.

HawkEye keylogger campaign leverages 2 RTF exploits
These files used the CVE-2010-3333 Office exploit, sometimes CVE-2012-0158, to infect recipients with the HawkEye keylogger, a malicious application sold on the public Internet.

HawkEye is a dangerous threat, coming with lots of features that allow crooks to collect email, browser, and FTP settings and passwords.

This keylogger enables people to buy a copy, infect users, collect their data and then receive it in the form of an email, FTP data transfer, or upload to a PHP website.

Trustwave researchers said that, after they reverse-engineered a copy of the HawkEye keylogger, they discovered in one of its configuration files the email address and password for the account to where the keylogger was sending all the stolen data.

Odd choice to use actual email accounts instead of dummy inboxes
Using these credentials, the security researchers logged into the email account, and to their surprise, this wasn't just a dummy account but belonged to a real person.

"Perhaps the attacker knows that the HawkEye keylogger can be easily cracked, and to protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address," Trustwave's Rodel Mendrez says.

The hijacked account included a rule that was rerouting all messages received from a specific victim's email address to the attacker's own inbox.

By not leaving his own account password in the keylogger settings, the author was avoiding having his operations taken over by security researchers.

It is odd that he would use a hijacked email account instead of a dummy inbox, which would have reduced the chance of being discovered even more.
Click to expand...
 
  • Like
Reactions: Jrs30, silversurfer, Der.Reisende and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Hackers email stolen student data to parents of Nevada school district
Replies
1
Views
785
News Archive
ForgottenSeer 103564
F
CyberTech
    • Like
    • Wow
    • Sad
81K people's sensitive info feared stolen from Hilb after email inboxes ransacked
Replies
0
Views
805
News Archive
CyberTech
CyberTech
Gandalf_The_Grey
    • Wow
    • +Reputation
Crypto Opinions & News Netgear, Hyundai latest X accounts hacked to push crypto drainers
Replies
1
Views
288
Crypto News
SeriousHoax
SeriousHoax

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top