Rewterz Threat Alert – DJVU Ransomware – Active IOCs
March 14, 2022Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs
March 14, 2022Rewterz Threat Alert – DJVU Ransomware – Active IOCs
March 14, 2022Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs
March 14, 2022Severity
Medium
Analysis Summary
HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.
Impact
- Information Theft
- Credential Theft
- Antivirus Bypass
Indicators of Compromise
Filename
- Reborn Stub[.]exe
MD5
- 9bc01aec43d14db349fae9a179f78f46
SHA-256
- a03265120455f990fb05315ce049ed641c7fb5a62a07e29d904e53f4df5a7b24
SHA-1
- 036efd5ee8f97e50909ec23c7e893d05d972b0e0
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.