HawkEye Reborn: Password Stealer and Keylogger threat

Cisco’s Talos security team has observed ongoing malware distribution campaigns that use a new version of a keylogger and password stealer “HawkEye Reborn v9.”

The HawkEye malware kit is popular in various hacking forums and the greyware market and has undergone an ownership change, according to a new Talos threat report.

The Talos team noted that Cybercriminals are using HawkEye Reborn v9 to target organizations and steal account credentials and other sensitive information, similar to other malware Remcos and Agent Tesla used by cybercriminal gangs last year.

HawkEye-based campaigns will often use the stolen credentials to launch additional attacks and account compromises against organizations.

Talos points out the increased threat and emergence of the commercialization of keyloggers/password stealers and remote access trogans (RATs) has reduced barriers to entry for hackers. By using such tools that are fully available in the cyber criminal underground, attackers no longer need to have deep programming skills or computer experience.

Organizations can leverage additional controls to mitigate HawkEye and similar malware threats include, but not limited to:

  • Advanced endpoint anti-malware agents.
  • User web proxies or web gateways (to help prevent access to and download of malware from malicious websites; blocking of malicious URLs/IPs/domains).
  • Email security gateways (to block malicious emails sent by malicious cyber campaigns).
  • Next-generation firewalls and intrusion prevention systems (IPS).

“Organizations should be aware of this and similar threats and deploy countermeasures such as Multi-Factor Authentication (MFA) solutions such as Duo, to help reduce the impact of credential theft within their environments,” Talos added.