Rewterz Threat Alert – LokiBot Malware – Active IOCs
June 16, 2022Rewterz Threat Alert – Bitter APT Group – Active IOCs
June 16, 2022Rewterz Threat Alert – LokiBot Malware – Active IOCs
June 16, 2022Rewterz Threat Alert – Bitter APT Group – Active IOCs
June 16, 2022Severity
Medium
Analysis Summary
HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.
Impact
- Information Theft
- Credential Theft
- Antivirus Bypass
Indicators of Compromise
MD5
- 637e757d38a8bf22ebbcd6c7a71b8d14
SHA-256
- 477c13d4ca09fdb7fea6487641c6a904d4dee1adecd74ac42e0b00a3842503f9
SHA-1
- 0e711a8292de14d5aa0913536a1ae03ddfb933ec
Remediation
- Search for IOCs in your environment.
- Block all threat indications at their respective controls.