Rewterz Threat Advisory – CVE-2022-25863 – Node.js gatsby-plugin-mdx module Vulnerability
June 9, 2022Rewterz Threat Advisory – CVE-2021-26084 – Atlassian Confluence Server and Center Vulnerability Exploited in the Wild
June 9, 2022Rewterz Threat Advisory – CVE-2022-25863 – Node.js gatsby-plugin-mdx module Vulnerability
June 9, 2022Rewterz Threat Advisory – CVE-2021-26084 – Atlassian Confluence Server and Center Vulnerability Exploited in the Wild
June 9, 2022Severity
Medium
Analysis Summary
HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.
Impact
- Information Theft
- Credential Theft
- Antivirus Bypass
Indicators of Compromise
MD5
- 6c9177754244a999e36b838622c8b3a4
- 71826ba081e303866ce2a2534491a2f7
SHA-256
- dcb7d0214c7253a6acfe023f50e9bdf6f7586e15935037ef85f93024fa1115d5
- 62099532750dad1054b127689680c38590033fa0bdfa4fb40c7b4dcb2607fb11
SHA-1
- 449df07d92f65d20dfffb60124e6123c5a85c491
- b482d64a43f6bfbf758166ecba680b7f0c59a4f7
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.