Malicious RTF docs used to deliver Hawkeye keylogger trojan in a new phishing campaign

• The malicious Word document uses the CVE-2017-1182 equation editor exploit to spread into a victim’s system.
• The first few pages of the Word document is blank and then has some pages that appear to be written in Vietnamese.

A new phishing campaign has been discovered distributing Hawkeye keylogger trojan. The malware comes in the form of a Microsoft Word document attached in a spoofed email. The Word document is actually a Rich Text File(RTF) that uses the CVE-2017-1182 equation editor exploit.

Modus Operandi

In the campaign, the users are sent spoofed emails that go with the subject line of ‘Purchase Order’. It contains a malicious Word document attachment - which has 87 pages of pure garbage displayed.

The first few pages of the Word document are blank and then it has some pages that appear to be written in Vietnamese.

In order to entice or persuade users into clicking on the email and opening the attachment, the scammers use attractive email addresses and subject lines. For a better response, the scammers have been found using the campaign against small and medium businesses.

Once the malicious Word document is opened on a victim’s computer, it contacts http[:]//bit[.]ly/2D1Ob77 and downloads the Hawkeye keylogger from http[:]//aoiap[.]org/q.png which is actually not an image but a renamed .exe file.

Types of devices infected

These malicious macros only infect Windows computers. All Mac, iPhone, iPad, Blackberry, Windows phone and Android phone are not affected in this phishing campaign.

However, the malicious word file can open on any device that has an office program installed. Moreover, these macros do not run in some products such as Office Online, Open Office, Libre Office, and Word Perfect.