November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Advisory – Multiple Mozilla Firefox and Firefox ESR Vulnerabilities
November 17, 2022Rewterz Threat Alert – Tofsee Malware – Active IOCs
November 17, 2022Rewterz Threat Advisory – Multiple Mozilla Firefox and Firefox ESR Vulnerabilities
November 17, 2022Rewterz Threat Alert – Tofsee Malware – Active IOCs
November 17, 2022
Severity
Medium
Analysis Summary
HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.
Impact
- Information Theft
- Credential Theft
- Antivirus Bypass
Indicators of Compromise
MD5
- 57e39c48e784b3a979493e1945139cb7
- db9af0cd255ad7fc88bbb96051c012c7
- 9bd80f96d322285918177d64edb40ad2
SHA-256
- 5d5656bf50bf4d14a6b4129c7f3dfd9f446b98df3edeaf2d9036a77d49f52349
- 9b40a17f24cac8ab757747e0fd9f26b54f61225dd504a4d858c7ee2b39d962bf
- 3cb9db864f69946c509a75e264a7a44eb4999da45c6f373928f564668073e641
SHA-1
- 3074d590c3ffdf65c0516cf18d816da9978cb321
- 8b1e0fffa49ca6ad61e6dd5f21bb2793dc208c78
- 26409f3ea3696c8cfef6ae906b2c49a28373e32c
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.