Some changes to malicious RTF docs delivering Hawkeye


I am seeing a bit of changes today from the scumbags who are distributing the Hawkeye Keylogger Trojan. The  email template is a typical fake Purchase Order with a malicious word doc attachment. The word doc is actually a RTF that uses the CVE-2017-11882 equation editor exploits. Where the changes come is the obfuscation or encoding of the rtf file that makes analysis slightly more complicated and is intended to bypass existing detections from antiviruses & network perimeter defences. This malicious RTF / Word doc has 87 pages of pure garbage displayed. The first page is blank, then dozens of … Continue reading →

Article Link: