Rewterz Threat Alert –Phobos Ransomware – Active IOCs
August 31, 2021Rewterz Threat Advisory –CVE-2021-34865 – NETGEAR Multiple Routers Authentication Bypass Security Vulnerability
August 31, 2021Rewterz Threat Alert –Phobos Ransomware – Active IOCs
August 31, 2021Rewterz Threat Advisory –CVE-2021-34865 – NETGEAR Multiple Routers Authentication Bypass Security Vulnerability
August 31, 2021Severity
High
Analysis Summary
HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.
Impact
- Information Theft
- Credential Theft
- Antivirus Bypass
Indicators of Compromise
MD5
- 83f58ecf0778e3b0acca8497df23ef23
- 1e6ec142ba08c7deafd25bdea76f32d4
SHA-256
- 437fae5aa2cad8ddb1fe3e316afdc6a1fdd2676084131fdc082ffdc8a53f066d
- e773f60aeb241f884b4f932d7ddd4e31c87f31781d5bd53d8583b3d54807a449
SHA-1
- a2123e816fcd387873272e022220fbc05b96d392
- 6b52334ca53b1c604c5865e2ab49056b870808c5
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.