Rewterz Threat Alert – Remcos RAT – Active IOCs
September 6, 2021Rewterz Threat Alert –Raccoon Infostealer – Active IOCs
September 6, 2021Rewterz Threat Alert – Remcos RAT – Active IOCs
September 6, 2021Rewterz Threat Alert –Raccoon Infostealer – Active IOCs
September 6, 2021Severity
Medium
Analysis Summary
HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.
Impact
- Information Theft
- Credential Theft
- Antivirus Bypass
Indicators of Compromise
MD5
- a273a781070d239ba99d3fd8ef341e6c
- 3f620ffd8be649d1d31ab54f73a559be
- a0dbd1314d214588960b1e0bced5f4e0
SHA-256
- 92ec56ae1720e4b05078bb970c4655904cc61ba11fd13482d1b234504589df2b
- 60e2a0345f0250cb42af7b40d674d4efb3110cd2ae74cb2708f0a9941b1f0aa4
- 4f21d6af6eacae330ae755bf05739c7d8d61567cdcd3f3ff3ad57ef714d8b932
SHA-1
- 650fc260c3cbc8fdb37bd18afcfa089aa2132b96
- 7674d564413ff4c10297c1d74cd1287776af43fa
- 419ab2f062aeb985db1f11d44ee6c0177f7e59a9
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.