Rewterz

Rewterz Threat Alert – Remcos RAT – Active IOCs

December 8, 2021

State of Ransomware in 2021

December 8, 2021

Rewterz Threat Alert – HawkEye Infostealer – Active IOCs

Severity

Medium

Analysis Summary

HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.

Impact

  • Information Theft
  • Credential Theft
  • Antivirus Bypass

Indicators of Compromise

MD5

  • 805fbb84293e86f25b566a5b2c2815d2
  • 083d4cde33e6721f595a468bb7d17ada
  • 32eb10c12a29b38f13730cd1f5dcad4d
  • 3f332b62eee0970f3189c689d5bd042a

SHA-256

  • e78fcd503a6b0a663ab4a72b97c010c932840998da05784ba75f7d6802ea822f
  • f636fa169cbb4d9038ea21b5b1258a3ab92be41bbab0020c90c8ecba105616e2
  • 06550442678fb92b0273b83f349d47d3654fb72a7d98398ce3b63e3635b8e8f1
  • 7c7983ada08828ea0c0ed5b17b05f8dad5bf6fa44e1a4692c37f18c340e14219

SHA-1

  • 5712f69eafca434e4d6cdfd8081ebfb728708c25
  • 0e2766c31f8dc69a320b6176d62f6784c9f590dd
  • 4d0eb488a01fed1720483dfa270423bea593ca14
  • f68f7dcc8ffcdd3f93333e711779e8d02db2dfae

Remediation

  • Block all threat indicators at their respective controls.
  • Search for IOCs in your environment.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.