Rewterz Threat Alert –HawkEye Infostealer

Rewterz Threat Alert – DanaBot Trojan – Active IOCs

October 12, 2021

Rewterz Threat Alert – Orcus RAT – Active IOCs

October 12, 2021

Rewterz Threat Alert –HawkEye Infostealer – Active IOCs

Severity

Medium

Analysis Summary

HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.

Impact

Information Theft
Credential Theft
Antivirus Bypass

Indicators of Compromise

MD5

83827b8cffe67a789b03e342ed3b1572

SHA-256

029910f3fc7c1bc1daa32a70bd334ccc767e7a0d0bdc011881099c9507adb3b6

SHA-1

e4cd65c315d7c4c37a89767e11f9c52d64753d0f

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment