EYE Malware Description
The EYE Malware is a post-exploitation tool that has been observed as part of the arsenal of a hacker group that targets transportation and shipping companies from Kuwait specifically. In the instances where the EYE Malware was detected, it was deployed after the targeted systems had already been compromised by another malware belonging to a group of hackers called Hisoka.
The EYE Malware's role in the attack chains was to clean up the traces left by the threatening activities of the threat actors. In short, it is a failsafe device tasked with scrapping any identifying artifacts left by unauthorized Remote Desktop Protocol (RDP) connections, as well as terminating any process created by the attackers.
Open execution, the EYE Malware begins to scan for any inbound login attempts either locally or by remote RDP sessions. It also lists all processes created after the EYE Malware has been initiated. When it detects a connection, the EYE Malware writes the unique string 'we be wait for you boss !!!' to the console before proceeding to activate its clean-up routines. First, the threat will terminate all applications and tools opened by hackers. It then moves on to remove all recent document files by jump list usage through the command:
Del /F /Q %APPDATA%\\Microsoft\\Windows\\Recent\\* & Del /F /Q %APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\* & Del /F /Q %APPDATA%\\Microsoft\\Windows\\Recent\\CustomDestinations\\*
The EYE Malware also scrapes certain values from specific registry keys and the 'Default.rdp' file to remove any potential signs about the threat actor's activities on the compromised machine. The Registries targeted by the malware are:
- Software\\Microsoft\\Terminal Server Client\\Default
Finally, as the last step of its programming, the EYE Malware will attempt to remove itself from the targeted system by executing the command taskkill /f /im < EYE's executable filename> & choice /C Y /N /D Y /T 3 & Del' <path to EYE's executable>.'