Threat Database Backdoors Backdoor.Hawkball.A


By CagedTech in Backdoors

Threat Scorecard

Threat Level: 60 % (Medium)
Infected Computers: 1
First Seen: June 16, 2019
Last Seen: June 16, 2019
OS(es) Affected: Windows

Backdoor:Hawkball.A is a method used to bypass encryption or authentication of computer systems and products. This backdoor can be used in accessing passwords, erasing data on hard drives, as well as transferring information onto a cloud.

The backdoor was found under the name Hawkball, appearing to target Russian-speaking countries and government members located in Central Asia.

The way the backdoor works includes importing malware into an infected system. Once that is done, it begins collecting information on the victimized computers. For the backdoor to work and to be transported, a malicious file was used that appeared to come from a counter terrorist organization that centered on ex-Eastern Bloc republics. The name of the text translated into 'Collection of the guiding composition of anti-terrorist security units and special services of the CIS (Commonwealth of Independent States)'.

Opening the malicious file starts a number of problems and actions that delivers the infection forward. This happens through two Microsoft Office vulnerabilities that were previously patched out – CVE-2017-11882 (which was found in the MS Office 2007 Service Pack 3, MS Office 2010 Service Pack 2, MS Office 2013 Service Pack 1 and MS Office 2016). The other vulnerability is CVE-2018-0802, which was found in the MS Office 2007, 2010, 2013 and the 2016 equation editor.

Backdoor.Hawkball.A communicates with a command and control server through HTTP, exporting information from a victim's computer, such as IP address, OS version, OEM page, username, details on the architecture and the computer's name. It may also perform techniques to see if a scan is ongoing.

The decoy file in question, doc.rtf (MD5: AC0EAC22CE12EAC9EE15CA03646ED70C), has an OLE object using Equation Editor to drop its embedded shellcode in the %TEMP% directory using the name 8.t. The shellcode is decrypted in memory via EQENDT32.EXE.

Once that happens, the decrypted shellcode is then dropped as WLL (MD5: D90E45FBF11B5BBDCA945B24D155A4B2), a Microsoft Word plugin. It is dropped in C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP

Looking at the Technical Details

DllMain of the payload decides whether the string WORD.EXE is inside the sample's command line. If the string doesn't exist in the sample, the malware doesn't execute the RunDll32.exe < C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP\hh14980443.wll, DllEntry> command with the WinExec() function.

DllEntry is the only export function of the payload in question. The malware then uses the %TEMP% folder to create a log file named c3E57B.tmp. The malware then writes the current local time as well as two hardcoded values that follows this format:

/ ::\t\t\n

The log file is written every 15 seconds, with the last two digits being hardcoded and passed as parameters to the function. The encrypted file has a 0x78 bytes config file, with the data being decrypted with a 0xD9 XOR operation, with the decrypted data containing the command and control information and the mutex string used when the malware starts up.

%TEMP%/3E557B.tmp houses the IP address of the config file with the local time.

Creating the Mutex

The malware creates a mutex so it can prevent multiple instances of itself from execution. Before the mutex is named, the malware decides whether it is running in the role of a system profile. In order to verify the malware is resolving the %APPDATA% environment variable, it checks for the config/systemprofile string.
If the malware is instead running as a system profile, the string d0c originating in the decrypted config file is used in the creation of the mutex. Other than that, then string _cu ends up appended to the d0c and the mutex is then renamed into d0c_cu. Once the mutex is created, the malware writes a different entry in the logfile within %TEMP% using the values 32 and 0.


Most Viewed