Register to stream ATT&CKcon 2.0 October 29-30


HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.[1]

ID: S0391
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line. [1]
Enterprise T1043 Commonly Used Port HAWKBALL has sent HTTP GET requests over port 443 for C2. [1]
Enterprise T1022 Data Encrypted HAWKBALL has encrypted data with XOR before sending it over the C2 channel. [1]
Enterprise T1173 Dynamic Data Exchange HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode. [1]
Enterprise T1106 Execution through API HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity. [1]
Enterprise T1041 Exfiltration Over Command and Control Channel HAWKBALL has sent system information and files over the C2 channel. [1]
Enterprise T1203 Exploitation for Client Execution HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload. [1]
Enterprise T1107 File Deletion HAWKBALL has the ability to delete files. [1]
Enterprise T1027 Obfuscated Files or Information HAWKBALL has encrypted the payload with an XOR-based algorithm. [1]
Enterprise T1105 Remote File Copy HAWKBALL has downloaded additional files from the C2. [1]
Enterprise T1071 Standard Application Layer Protocol HAWKBALL has used HTTP to communicate with a single hard-coded C2 server. [1]
Enterprise T1082 System Information Discovery HAWKBALL can collect the OS version, architecture information, and computer name. [1]
Enterprise T1033 System Owner/User Discovery HAWKBALL can collect the user name of the system. [1]
Enterprise T1497 Virtualization/Sandbox Evasion HAWKBALL has methods to check if the process the malware uses is being debugged. [1]