HAWKBALL

HAWKBALL is a backdoor Trojan. HAWKBALL's main purpose is to obtain information about the infected device and then deliver a secondary payload. PC security software has mostly responded to HAWKBALL and has been updated to detect and remove HAWKBALL. This is what makes having the latest security updates for all security software an essential part of stopping threats like HAWKBALL. However, HAWKBALL is part of an ongoing malware campaign, and it is very likely that it will continue to be updated and new targets selected for HAWKBALL attacks.

Why HAWKBALL is Threatening

HAWKBALL is being distributed through spear-phishing email campaigns, targeting specific victims. HAWKBALL attacks are targeting Russian government entities located in Central Asia currently, and it is very likely that the individuals deploying HAWKBALL attacks are involved in state-sponsored espionage and operations. Victims of the HAWKBALL attack will generally receive an email message with content designed to mimic messages from task forces and departments set up to fight terrorism. This email will contain an attached document that delivers HAWKBALL to the victim's computer. The HAWKBALL attack is carried out in the background, without alerting the victim. A decoy document is opened and displayed to distract the victim. The main method for infiltration is to exploit vulnerabilities in Microsoft Office, particularly vulnerabilities labeled CVE-2018-0802 and CVE-2017-11882.

How HAWKBALL Carries Out Its Attack

HAWKBALL will first check the victim's device to make sure that it has not been installed on a virtual device or on a platform used to debug and study malware. If this is the case, then HAWKBALL stops entirely and deletes itself, to prevent PC security researchers from studying its code. If HAWKBALL determines that it has landed on the intended target, then HAWKBALL will begin its attack by changing the infected device's Windows Registry settings to achieve persistence on the victim's device (meaning that HAWKBALL will continue to operate even if the device reboots). HAWKBALL will then establish a connection with its Command and Control server. HAWKBALL Command and Control server's IP address is hardcoded into HAWKBALL itself.

What can HAWKBALL Do on an Infected Device?

It is clear that HAWKBALL is meant to be just the first stage in a malware attack with multiple stages. Because of this, HAWKBALL's features are limited to what is necessary. HAWKBALL collects data from the infected device and then allows the criminals to execute commands on the infected device that can be used to install other software. After studying HAWKBALL's code, it has been determined that HAWKBALL will collect the following system information from the infected device:

Computer Name
User Name
IP Address
Active Code Page
OEM Page
OS Version
Architecture Details (x32/x64)
String at 0x68 offset from decrypted config file

It is possible that HAWKBALL delivers additional information to the attacker. As can be seen, HAWKBALL's objective itself is not to collect files or monitor the victim. This is generally done in the next stage of the attack, where the attackers may deliver a RAT (Remote Access Trojan), used to control the device from a remote location or some sort of information collector. The use of multiple stages in these attacks allows the criminals to determine what software is best for the secondary payload exactly and also makes it more difficult for malware researchers to stop a campaign entirely by simply removing or deleting one component of the attack