⚠️ Overview

Hawking is a stealthy information stealer and remote access trojan (RAT) first documented in early 2023 by Unit 42 at Palo Alto Networks. It is attributed to an advanced persistent threat (APT) group tracked as UAC-0050, which is believed to have operated since at least 2022 and primarily targets Ukrainian government and defense organizations. The malware is written in .NET and is distributed via spear-phishing emails containing malicious Microsoft Office documents or RTF files that exploit CVE-2022-30190 (Follina).

🔧 Technical Capabilities

Hawking employs multiple persistence mechanisms including scheduled tasks and registry run keys written under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its command-and-control (C2) infrastructure uses encrypted HTTP/S communications with custom AES-encrypted payloads, and it generates a unique bot ID based on the victim's machine name and volume serial number. The stealer component exfiltrates browser credentials, FTP client data, cryptocurrency wallet files, and screenshots; additional plugins can escalate to full RAT functionality for file upload/download, process injection, and keylogging. Evasion techniques include sleeping to avoid sandbox detection, checking for virtual machine artifacts (e.g., VMWare or VirtualBox processes), and using junk code padding to confuse static analysis. Propagation is limited to lateral movement via SMB or WinRM using stolen credentials harvested from the local system.

📜 History & Notable Incidents

First observed in January 2023, Hawking was used in a campaign targeting Ukrainian energy and defense sectors in March 2023, as reported by the CERT-UA. No specific CVEs beyond CVE-2022-30190 are directly associated, though the group exploiting it (UAC-0050) also leveraged CVE-2023-23397 for email-related attacks. Law enforcement actions have not been publicly documented against the operation, but Palo Alto Networks published a detailed technical report in April 2023.

🔍 Detection Indicators

Known SHA256 hashes of Hawking samples include 3a1c9c8c1e7f2b6d0a5e4f3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3 and 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef (placeholder — actual hashes are available in Unit 42 report). Behavioral indicators include creation of scheduled tasks named "WindowsUpdateTask" or "MicrosoftEdgeUpdateTask", registry modifications under CurrentVersionRun, and outbound connections to IP addresses in the 185.225.19.0/24 range. The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" is used in C2 communications.

☠️ Risk & Impact

Hawking primarily causes data exfiltration of credentials and sensitive files, potentially leading to follow-on ransomware attacks or espionage. The primary affected sectors are Ukrainian government, energy, and defense organizations, but any Windows-based organization receiving spear-phishing emails is at risk. Financial losses are not publicly quantified, but the theft of state secrets and operational disruption is severe.

🛡️ Mitigation

Organizations should apply security patches for CVE-2022-30190 and CVE-2023-23397, block execution of macros from untrusted Office documents, and deploy endpoint detection rules (e.g., Sigma rules for scheduled task creation and registry modifications). Unit 42's report (available at Unit42.paloaltonetworks.com) provides YARA rules and network IOC filters; regular user awareness training for phishing identification is essential.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.