Summary
FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802.
HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.
Conclusion
HAWKBALL is a new backdoor that provides features attackers can use to collect information from a victim and deliver new payloads to the target. At the time of writing, the FireEye Multi-Vector Execution (MVX) engine is able to recognize and block this threat. We advise that all industries remain on alert, though, because the threat actors involved in this campaign may eventually broaden the scope of their current targeting.
Indicators of Compromise
| MD5 | Name |
| AC0EAC22CE12EAC9EE15CA03646ED70C | Doc.rtf |
| D90E45FBF11B5BBDCA945B24D155A4B2 | hh14980443.wll |
Network Indicators
- 149.28.182[.]78:443
- 149.28.182[.]78:80
- http://149.28.182[.]78/?t=0&&s=0&&p=wGH^69&&k=<tick_count>
- http://149.28.182[.]78/?e=0&&t=0&&k=<tick_count>
- http://149.28.182[.]78/?e=0&&t=<int_xor_key>&&k=<tick_count>
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Recommendation
- Block all the above mentioned IOC’s
- Ensure Antivirus is kept up to date
- Patch latest Microsoft Office updates
- Limit privilege access to systems wherever necessary
