Attackers are exploiting a 6-year-old Microsoft Office remote code execution flaw to deliver spyware, in an email campaign weaponized by malicious Excel attachments and characterized by sophisticated evasion tactics.
Threat actors dangle lures relating to business activity in spam emails that deliver files that contain CVE-2017-11882, an RCE flaw that dates back to 2014 and can allow for system takeover, Zscaler revealed in a blog post published Dec. 19.
The end goal of the attack is to load Agent Tesla, a remote access Trojan and advanced keylogger first discovered in 2014, and exfiltrate credentials and other data from an infected system via a Telegram bot run by the attackers.
CVE-20170-11882 is a memory-corruption flaw found in the Equation Editor of Microsoft Office.
An attacker who successfully exploits the flaw can run arbitrary code in the context of the current user and even take over the affected system if a user is logged on with administrator rights.
Though the vulnerability has long been patched, older versions of Microsoft Office still in use may be vulnerable.
Despite being nearly a decade old, Agent Tesla remains a common weapon used by attackers and includes features such as clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different Web browsers.
Once a user takes the bait, the attack method veers into the unconventional, the researchers found.
Opening the malicious Excel attachment with a vulnerable version of the spreadsheet app initiates communication with a malicious destination that pushes additional files, the first of which is a heavily obfuscated VBS file that uses variable names 100 characters long.
This file in turn starts the download of a malicious JPG file, after which the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. After the PowerShell loads, there's another novel tactic: It executes the RegAsm.
Exe file - the primary function of which is typically associated with registry read-write operations, Khursale noted.
In the attack context, the file's purpose is to carry out malicious activities under the guise of a genuine operation, he said.
From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process.
Agent Tesla Malware in Action Once deployed, the spyware RAT proceeds to steal data from a slew of browsers, mail clients, and FTP applications, sending it to a malicious destination controlled by threat actors.
It also attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.
Specifically, Agent Tesla uses window hooking, a technique used to monitor event messages, mouse events, and keystrokes.
When a user acts, the threat actor's function intercepts before the action occurs, Khursale said.
The malware ultimately sends the exfiltrated data to a Telegram bot controlled by the threat actor.
Zscaler included a comprehensive list of indicators of compromise in the blog post - including a list of the Telegram URLs used for exfiltration; malicious URLS; various malicious Excel, VBS, JPG, and DLL files; and malicious executables - to help identify if a system has been compromised.
The post also includes an extensive list of browsers and mail and FTP clients from which Agent Tesla attempts to steal credentials to help organizations remain vigilant.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 20 Dec 2023 16:05:23 +0000