Attackers are exploiting a 6-year-old Microsoft Workplace distant code execution (RCE) flaw to ship spyware and adware, in an electronic mail marketing campaign weaponized by malicious Excel attachments and characterised by refined evasion ways.
Menace actors dangle lures regarding enterprise exercise in spam emails that ship recordsdata that include CVE-2017-11882, an RCE flaw that dates again to 2014 and may enable for system takeover, Zscaler revealed in a weblog put up printed Dec. 19. The top purpose of the assault is to load Agent Tesla, a distant entry Trojan (RAT) and superior keylogger first found in 2014, and exfiltrate credentials and different knowledge from an contaminated system through a Telegram bot run by the attackers.
CVE-20170-11882 is a memory-corruption flaw discovered within the Equation Editor of Microsoft Workplace. An attacker who efficiently exploits the flaw can run arbitrary code within the context of the present consumer and even take over the affected system if a consumer is logged on with administrator rights. Although the vulnerability has lengthy been patched, older variations of Microsoft Workplace nonetheless in use could also be weak.
Regardless of being practically a decade previous, Agent Tesla stays a standard weapon utilized by attackers and consists of options equivalent to clipboard logging, display keylogging, display capturing, and extracting saved passwords from totally different Internet browsers.
The assault vector is exclusive in that it pairs a longstanding vulnerability with new complexity and evasion ways that reveal adaption in attackers’ an infection strategies, thus “making it crucial for organizations to remain up to date on evolving cyber threats to safeguard their digital panorama,” Zscaler senior safety researcher Kaivalya Khursale famous within the put up.
Electronic mail-Primarily based Cyberattack: Typical Lures, Novel Techniques
In its preliminary an infection vector, the marketing campaign appears unexceptional, with risk actors utilizing socially engineered emails with business-oriented lures in messages peppered with phrases equivalent to “orders” and “invoices.” The messages add a way of urgency by requesting an instantaneous response from recipients.
However as soon as a consumer takes the bait, the assault methodology veers into the unconventional, the researchers discovered. Opening the malicious Excel attachment with a weak model of the spreadsheet app initiates communication with a malicious vacation spot that pushes further recordsdata, the primary of which is a closely obfuscated VBS file that makes use of variable names 100 characters lengthy. This provides “a layer of complexity to the evaluation and deobfuscation,” Khursale wrote.
This file in flip begins the obtain of a malicious JPG file, after which the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the picture file, decodes the DLL, and masses the malicious procedures from the decoded DLL.
After the PowerShell masses, there’s one other novel tactic: It executes the RegAsm.exe file — the first operate of which is usually related to registry read-write operations, Khursale famous. Nevertheless, within the assault context, the file’s function is to hold out malicious actions beneath the guise of a real operation, he mentioned. From right here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm course of.
Agent Tesla Malware in Motion
As soon as deployed, the spyware and adware RAT proceeds to steal knowledge from a slew of browsers, mail shoppers, and FTP functions, sending it to a malicious vacation spot managed by risk actors. It additionally makes an attempt to deploy keyboard and clipboard hooks to observe all keystrokes and seize knowledge copied by the consumer.
Particularly, Agent Tesla makes use of window hooking, a way used to observe occasion messages, mouse occasions, and keystrokes. When a consumer acts, the risk actor’s operate intercepts earlier than the motion happens, Khursale mentioned. The malware finally sends the exfiltrated knowledge to a Telegram bot managed by the risk actor.
Zscaler included a complete record of indicators of compromise (IoCs) within the weblog put up — together with a listing of the Telegram URLs used for exfiltration; malicious URLS; varied malicious Excel, VBS, JPG, and DLL recordsdata; and malicious executables — to assist establish if a system has been compromised. The put up additionally consists of an in depth record of browsers and mail and FTP shoppers from which Agent Tesla makes an attempt to steal credentials to assist organizations stay vigilant.
