Researcher pops locks on keylogger, finds admin's email inbox

Trustwave researcher Rodel Mendrez has gained access to the inbox of the criminal behind a commercial keylogger used to attack industries including finance, cloud services, logistics, foreign trade, and government.

Mendrez's reverse engineering effort found credentials buried within the Hawkeye keylogger that lead through redirection to the author's inbox.

Attackers behind Hawkeye were siphoning from compromised machines browser, email, and FTP credentials, and system data including installed firewalls, operating system information, and IP address data.

Mendrez found the criminals were using compromised email addresses to forward emails on to their real gmail account as they may have been aware of vulnerabilities in their keylogger.

"To protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address," Mendrez says in a description of the reverse engineering process.

"Naturally, I checked out these email inboxes.

"They appear to be email accounts on compromised systems … emails sent [here] are rerouted automatically to the attacker's Gmail account."

Mendrez has informed the owners of compromised email addresses who are being used to forward on pilfered data.

The $35 keylogger was advertised on a now dead site hawkeyeproducts.com. A cached copy reveals admins promoted it as taking "operating system monitoring to the next level" by recording keystrokes and 'recovering and stealing' saved passwords in browers that "may have been forgotten".

Hawkeye screen capture.

It sported USB and peer-to-peer spreading capabilities, plundering of modern browsers and messaging clients, and compatibility with all versions of Windows.

The site even sported glowing customer 'reviews' and support from a "qualified team".

Intelligence firm iSIGHT Partners in June last year confirmed HawkEye had stolen credentials from organisations in the targeted industries which also include foreign trade, retail, and science and technology.

At the time of analysis iSight researcher Randi Eitzman said Hawkeye was focused on plundering targets in India, with Italy, the US, and Turkey taking a equal hit.

A dozen other countries including Britain and Australia were also targeted.

It said the malware and others like it would continue to be a threat to organisations. ®