HawkEye, also known as PredatorPain, is a malware categorized as a keylogger but has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye emerged before 2010 and gained significant popularity starting in 2013 after several spearphishing campaigns.
Although it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence during the COVID period.
To conduct a quick analysis of HawkEye, ANY.RUN's Interactive Sandbox is used to extract critical data quickly.
HawkEye's delivery methods are diverse compared to other malware but execution and behavior have remained consistent over the years.
One of the dropped files, the smaller one, acts as the injector. The injector includes a phase where it checks running processes to detect analysis tools or whether the process is already running.
HawkEye is not just a malware that establishes persistence once as it has been observed to check and establish persistence up to three different times depending on the phases.
HawkEye carries out various functions such as keylogging, system information gathering, credential theft, screenshot capture, etc. once injected into vbc.exe or other processes.
The builder provides a multitude of configuration options, allowing the attacker to choose where to send the stolen information, what to collect, whether to check for certain tools and change the payload data to make it appear legitimate.
HawkEye has incredible versatility and longevity, making it a tremendously powerful and easy-to-use tool which unfortunately will continue to be seen in security incidents from actors of all types.