Threat actors have been observed leveraging a six-year old bug - CVE-2017-11882 - to spread Agent Tesla to vulnerable versions of Microsoft Office.
In a December 19 blog post, Zscaler researchers said CVE-2017-11882 is a remote code execution flaw found in the Equation Editor of Microsoft Office.
It arises because of a weakness in how the software manages system memory for objects.
The researchers said the Agent Tesla infection starts when the threat actors distribute spam emails with malicious attachments in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.
First discovered in 2014, Agent Tesla operates as an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers, according to the researchers.
The fact that the threat actor uses a 2017 vulnerability highlights a depressing truth for security professionals: many organizations are not only failing to update software, they're running end-of-life versions that are well outside of support, said John Bambenek, president of Bambenek Consulting.
Callie Guenther, senior manager, cyber threat research at Critical Start, added that despite being old, the CVE-2017-11882 vulnerability remains effective because of its ability to execute code with user-level privileges.
Guenther said the phishing campaigns cleverly use decoy Excel documents in invoice-themed messages, making it a potent threat.
Patrick Harr, chief executive officer at SlashNext, said it's important for security pros to understand the harm that can come from falling victim to remote access trojan malware.
Harr said it lets cybercriminals secretly take control of victims' computers, enabling data theft, espionage, and access to sensitive systems.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 26 Dec 2023 16:13:12 +0000