Attackers are weaponizing an previous Microsoft Workplace vulnerability as a part of phishing campaigns to distribute a pressure of malware known as Agent Tesla.
The an infection chains leverage decoy Excel paperwork connected in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS rating: 7.8), a reminiscence corruption vulnerability in Workplace’s Equation Editor that would lead to code execution with the privileges of the consumer.
The findings, which come from Zscaler ThreatLabz, construct on prior stories from Fortinet FortiGuard Labs, which detailed a related phishing marketing campaign that exploited the safety flaw to ship the malware.
“As soon as a consumer downloads a malicious attachment and opens it, if their model of Microsoft Excel is weak, the Excel file initiates communication with a malicious vacation spot and proceeds to obtain further recordsdata with out requiring any additional consumer interplay,” safety researcher Kaivalya Khursale stated.
The primary payload is an obfuscated Visible Primary Script, which initiates the obtain of a malicious JPG file that comes embedded with a Base64-encoded DLL file. This steganographic evasion tactic was beforehand additionally detailed by McAfee Labs in September 2023.
From USER to ADMIN: Study How Hackers Acquire Full Management
Uncover the key techniques hackers use to turn into admins, find out how to detect and block it earlier than it is too late. Register for our webinar in the present day.
The hid DLL is subsequently injected into RegAsm.exe, the Home windows Meeting Registration Software, to launch the ultimate payload. It is value noting that the executable has additionally been abused to load Quasar RAT up to now.
Agent Tesla is a .NET-based superior keylogger and distant entry trojan (RAT) that is geared up to reap delicate data from compromised hosts. The malware then communicates with a distant server to extract the collected information.
“Menace actors continuously adapt an infection strategies, making it crucial for organizations to remain up to date on evolving cyber threats to safeguard their digital panorama,” Khursale stated.
The event comes as previous safety flaws turn into new assault targets for menace actors. Earlier this week, Imperva revealed {that a} three-year-old flaw in Oracle WebLogic Server (CVE-2020-14883, CVSS rating: 7.2) is being utilized by the 8220 Gang to ship cryptocurrency miners.
It additionally coincides with an uptick in DarkGate malware exercise after it started to be marketed earlier this yr as a malware-as-a-service (MaaS) providing and as a substitute for QakBot following its takedown again in August 2023.
“The know-how sector is essentially the most impacted by DarkGate assault campaigns,” Zscaler stated, citing buyer telemetry information.
“Most DarkGate domains are 50 to 60 days previous, which can point out a deliberate method the place menace actors create and rotate domains at particular intervals.”
Phishing campaigns have additionally been found concentrating on the hospitality sector with booking-related electronic mail messages to distribute data stealer malware comparable to RedLine Stealer or Vidar Stealer, based on Sophos.
“They initially contact the goal over electronic mail that comprises nothing however textual content, however with subject material a service-oriented enterprise (like a resort) would wish to reply to rapidly,” researchers Andrew Brandt and Sean Gallagher stated.
“Solely after the goal responds to the menace actor’s preliminary electronic mail does the menace actor ship a followup message linking to what they declare is particulars about their request or criticism.”
Stealers and trojans however, phishing assaults have additional taken the type of bogus Instagram “Copyright Infringement” emails to steal customers’ two-factor authentication (2FA) backup codes by way of fraudulent net pages with an intention to bypass account protections, a scheme known as Insta-Phish-A-Gram.
“The information attackers retrieve from this sort of phishing assault could be bought underground or used to take over the account,” the cybersecurity agency stated.
