Government

Hawkball Backdoor Targets Governments in Central Asia

4 - 11 June 2019

An unknown threat group is targeting the government sector in Central Asia with a new backdoor dubbed Hawkball

An unknown threat group is targeting the government sector in Central Asia with a new backdoor dubbed Hawkball. The backdoor is delivered via phishing emails containing a RTF attachment that exploits the Equation Editor function (CVE-2017-11882 and CVE-2018-0802). When installed, Hawkball is used to survey the host and the collected information is encrypted before exfiltrating to a single hard-coded C2 server using HTTP over Port 443. The backdoor can also execute native Windows commands, terminate processes, create, delete and upload files, search for files, and enumerate drives. Microsoft has urged all Windows users to install the security update for CVE-2017-11882 after observing an increased in activities targeting the vulnerability.

 

References:

Government Sector in Central Asia Targeted with New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities

Microsoft Issues Warning on Spam Campaign Using Office Exploits

 
 
 
 
 
 

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence