Backdoor.Hawkball.A
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 60 % (Medium) |
Infected Computers: | 1 |
First Seen: | June 16, 2019 |
Last Seen: | June 16, 2019 |
OS(es) Affected: | Windows |
Backdoor:Hawkball.A is a method used to bypass encryption or authentication of computer systems and products. This backdoor can be used in accessing passwords, erasing data on hard drives, as well as transferring information onto a cloud.
The backdoor was found under the name Hawkball, appearing to target Russian-speaking countries and government members located in Central Asia.
The way the backdoor works includes importing malware into an infected system. Once that is done, it begins collecting information on the victimized computers. For the backdoor to work and to be transported, a malicious file was used that appeared to come from a counter terrorist organization that centered on ex-Eastern Bloc republics. The name of the text translated into 'Collection of the guiding composition of anti-terrorist security units and special services of the CIS (Commonwealth of Independent States)'.
Opening the malicious file starts a number of problems and actions that delivers the infection forward. This happens through two Microsoft Office vulnerabilities that were previously patched out – CVE-2017-11882 (which was found in the MS Office 2007 Service Pack 3, MS Office 2010 Service Pack 2, MS Office 2013 Service Pack 1 and MS Office 2016). The other vulnerability is CVE-2018-0802, which was found in the MS Office 2007, 2010, 2013 and the 2016 equation editor.
Backdoor.Hawkball.A communicates with a command and control server through HTTP, exporting information from a victim's computer, such as IP address, OS version, OEM page, username, details on the architecture and the computer's name. It may also perform techniques to see if a scan is ongoing.
The decoy file in question, doc.rtf (MD5: AC0EAC22CE12EAC9EE15CA03646ED70C), has an OLE object using Equation Editor to drop its embedded shellcode in the %TEMP% directory using the name 8.t. The shellcode is decrypted in memory via EQENDT32.EXE.
Once that happens, the decrypted shellcode is then dropped as WLL (MD5: D90E45FBF11B5BBDCA945B24D155A4B2), a Microsoft Word plugin. It is dropped in C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP
Looking at the Technical Details
DllMain of the payload decides whether the string WORD.EXE is inside the sample's command line. If the string doesn't exist in the sample, the malware doesn't execute the RunDll32.exe < C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP\hh14980443.wll, DllEntry> command with the WinExec() function.
DllEntry is the only export function of the payload in question. The malware then uses the %TEMP% folder to create a log file named c3E57B.tmp. The malware then writes the current local time as well as two hardcoded values that follows this format:
The log file is written every 15 seconds, with the last two digits being hardcoded and passed as parameters to the function. The encrypted file has a 0x78 bytes config file, with the data being decrypted with a 0xD9 XOR operation, with the decrypted data containing the command and control information and the mutex string used when the malware starts up.
%TEMP%/3E557B.tmp houses the IP address of the config file with the local time.
Creating the Mutex
The malware creates a mutex so it can prevent multiple instances of itself from execution. Before the mutex is named, the malware decides whether it is running in the role of a system profile. In order to verify the malware is resolving the %APPDATA% environment variable, it checks for the config/systemprofile string.
If the malware is instead running as a system profile, the string d0c originating in the decrypted config file is used in the creation of the mutex. Other than that, then string _cu ends up appended to the d0c and the mutex is then renamed into d0c_cu. Once the mutex is created, the malware writes a different entry in the logfile within %TEMP% using the values 32 and 0.