VERY IMPORTANT

On Monday 2021-02-01, a researcher posted an Excel spreadsheet to the Hatching Triage sandbox. This Excel spreadsheet has a malicious macro, and it uses an updated GlobalSign template that Brad Duncan had not noticed before. This Excel spreadsheet pushed what appears to be SystemBC RAT malware, which has been confirmed by Intezer. The lab execution environment was part of an Active Directory (AD) environment, which also saw Cobalt Strike as follow-up activity from this infection. This diary reviews this specific instance of SystemBC RAT and Cobalt Strike activity from Monday 2021-02-01.