EYE Malware

By GoldSparrow in Malware

Translate To:

The EYE Malware is a post-exploitation tool that has been observed as part of the arsenal of a hacker group that targets transportation and shipping companies from Kuwait specifically. In the instances where the EYE Malware was detected, it was deployed after the targeted systems had already been compromised by another malware belonging to a group of hackers called Hisoka.

The EYE Malware's role in the attack chains was to clean up the traces left by the threatening activities of the threat actors. In short, it is a failsafe device tasked with scrapping any identifying artifacts left by unauthorized Remote Desktop Protocol (RDP) connections, as well as terminating any process created by the attackers.

Open execution, the EYE Malware begins to scan for any inbound login attempts either locally or by remote RDP sessions. It also lists all processes created after the EYE Malware has been initiated. When it detects a connection, the EYE Malware writes the unique string 'we be wait for you boss !!!' to the console before proceeding to activate its clean-up routines. First, the threat will terminate all applications and tools opened by hackers. It then moves on to remove all recent document files by jump list usage through the command:

Del /F /Q %APPDATA%\\Microsoft\\Windows\\Recent\\* & Del /F /Q %APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\* & Del /F /Q %APPDATA%\\Microsoft\\Windows\\Recent\\CustomDestinations\\*

The EYE Malware also scrapes certain values from specific registry keys and the 'Default.rdp' file to remove any potential signs about the threat actor's activities on the compromised machine. The Registries targeted by the malware are:

Software\\Microsoft\\Terminal Server Client\\Default
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TYPEDPATHS
Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU

Finally, as the last step of its programming, the EYE Malware will attempt to remove itself from the targeted system by executing the command taskkill /f /im < EYE's executable filename> & choice /C Y /N /D Y /T 3 & Del' <path to EYE's executable>.'

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

EYE Malware

Submit Comment

Related Posts

ThirdEye Stealer

Pureyeppen.live

Goldforeyesh.com

Eyesickwet.live

Fackeyess.com

Subscribeyess1.click

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen