Hawkball Backdoor Targets Governments in Central Asia
An unknown threat group is targeting the government sector in Central Asia with a new backdoor dubbed Hawkball. The backdoor is delivered via phishing emails containing a RTF attachment that exploits the Equation Editor function (CVE-2017-11882 and CVE-2018-0802). When installed, Hawkball is used to survey the host and the collected information is encrypted before exfiltrating to a single hard-coded C2 server using HTTP over Port 443. The backdoor can also execute native Windows commands, terminate processes, create, delete and upload files, search for files, and enumerate drives. Microsoft has urged all Windows users to install the security update for CVE-2017-11882 after observing an increased in activities targeting the vulnerability.
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services