By Aaron Riley
In a new twist, a phishing campaign is delivering the advanced Hawkeye Keylogger malware to act as a first stage loader for a cryptocurrency miner. Hawkeye Keylogger – Reborn V9 was attached to a job application attachment themed phishing email. Once executed, Hawkeye then downloaded and ran a sample of the open-source software CGMiner. The CGMiner sample was an older version and configured for the cryptocurrency Litecoin. This is the first instance in which Cofense Intelligence™ has analyzed a keylogger being used as merely a first stage loader to deploy a crypto-miner.
The job application attachment theme used in this phishing campaign was generic and did not target a specific business department or job opening. As seen in Figure 1, the email is short and plain; however, the email source code showed a configuration that can be used for alerts. The email’s character set was configured for “Windows-1251,” which is used to support Cyrillic languages. Considering the business use of Cyrillic languages, this configuration can be used for alerting within the email security stack. The email had a .zip archive attachment that delivered a sample of Hawkeye Keylogger – Reborn V9.
Figure 1: Compromised email address delivering malicious ZIP attachment under guise of a CV
Hawkeye Keylogger is subscription-based and has been sold on forums since 2013. It has gone through many version updates and has even changed development ownership in the past. This advanced keylogger can be used to monitor systems, gather sensitive information from the machine, and exfiltrate the information to the Command and Control (C2) structure in multiple ways. The developer’s advertisement does not tout it as a first stage downloader. The threat operator behind this campaign utilized the file installation feature—typically used for setting persistence on the infected machine—to download and execute the sample of CGMiner. After the download and execution of the secondary payload, Hawkeye Keylogger stalled in its processes and did not attempt any further action.
CGMiner is an open-source cryptocurrency miner that can be executed across all operating systems. Older CGMiner versions can be configured to mine multiple different types of cryptocurrency and are designed to work with most AMD graphics cards. This sample of CGMiner is version 3.5, which is an older version that still supports CPU/GPU mining. This miner sample uses the Stratum protocol over TCP port 3333 and is configured to mine Litecoin. Newer versions of CGMiner do not support CPU/GPU mining and only provide algorithms for the Bitcoin cryptocurrency. CGMiner can be easily spotted when analyzed in a sandbox environment. The same is true of the Stratum protocol, which can be used as an alert for network activity.
Cryptocurrency miners have been seen in phishing campaigns before, but rarely are they ever used as a second stage infection from an advanced keylogger. This version of CGMiner was deliberately selected for the CPU/GPU mining feature for Litecoin mining. The infection chain showed places where the email and network security stack should have acted. Setting these alerts, tuning the technology, and educating end users is the best way to avoid these phishing campaigns.
Table 1: Indicators of Compromise
|Hawkeye Keylogger Within Attachment||Redacted_RESUME_Sep.exe a381ba89d294f120dd76a684bda24276|
|Litecoin Mining Connection||stratum+tcp://us[.]litecoinpool[.]org:3333|
HOW COFENSE CAN HELP
Cofense PhishMeTM offers simulation templates to educate users on phishing tactics similar to those described in today’s blog.
- Job Application – Office Macro / Hermes Ransomware
- Job Inquiry – Cerber (Attachment)w
- Response to Job Posting
- Resume Attached
- CV Attached – Petya
Every day, the Cofense Phishing Defense CenterTM analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology. Learn more about the Cofense suite of products here.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.