A newly discovered backdoor called Hawkball has been seen in action targeting one or more Russian-speaking government studies in Central Asia, according to the FireEye Labs blog.
After successfully infecting Hawkball offers hackers a range of capabilities, writes blog specialist FireEye and malware researcher Swapnil Patil. These include country surveys and victim information; Provide additional load; Create a channel to run native Windows commands; Completion of processes; Create, delete, and upload files; And enumerating the disks.
To install the backdoor, hackers used a fake file that comes from an anti-terrorist organization with a focus on the post-Soviet republics that make up the Commonwealth of Independent States. Title of the document from Russian to English “Compilation of leadership compositions of anti-terrorist security units and special services of the CIS States.”
According to cyber espionage analysis manager Benjamin R. researchers FireEye believe that the malicious file was used in February 2019. ‘We don ‘t have an understanding of the underlying goal, but we assessed that the content of the bait would be attractive to the government.
Opening of the infected file starts a chain which delivers loading through two earlier corrected vulnerabilities of the damaged memory of Microsoft Office – CVE-2017-11882 (In Microsoft Office of 2007 with service pack 3, Microsoft Office 2010 with service pack 2, Microsoft Office 2013 with service pack 1 and Microsoft Office 2016) to I CVE-2018-0802 (in the editor of the equations in Microsoft Office 2007, 2010, 2013 and 2016).
Hawkball communicates with the C2 ‘s encoded server over HTTP, removing victim information including computer name, user name, IP address, OEM page, OS version, and more. It also performs several validation methods.
SC Media reached out to FireEye for more information on the Hawkball attack.