Attackers are exploiting a 6-year-old Microsoft Workplace distant code execution (RCE) flaw to ship spyware and adware, in an e mail marketing campaign weaponized by malicious Excel attachments and characterised by subtle evasion techniques.
Menace actors dangle lures referring to enterprise exercise in spam emails that ship information that comprise CVE-2017-11882, an RCE flaw that dates again to 2014 and may enable for system takeover, Zscaler revealed in a weblog submit printed Dec. 19. The top objective of the assault is to load Agent Tesla, a distant entry Trojan (RAT) and superior keylogger first found in 2014, and exfiltrate credentials and different information from an contaminated system by way of a Telegram bot run by the attackers.
CVE-20170-11882 is a memory-corruption flaw discovered within the Equation Editor of Microsoft Workplace. An attacker who efficiently exploits the flaw can run arbitrary code within the context of the present person and even take over the affected system if a person is logged on with administrator rights. Although the vulnerability has lengthy been patched, older variations of Microsoft Workplace nonetheless in use could also be weak.
Regardless of being almost a decade previous, Agent Tesla stays a typical weapon utilized by attackers and contains options reminiscent of clipboard logging, display screen keylogging, display screen capturing, and extracting saved passwords from totally different Net browsers.
The assault vector is exclusive in that it pairs a longstanding vulnerability with new complexity and evasion techniques that display adaption in attackers’ an infection strategies, thus “making it crucial for organizations to remain up to date on evolving cyber threats to safeguard their digital panorama,” Zscaler senior safety researcher Kaivalya Khursale famous within the submit.
Electronic mail-Based mostly Cyberattack: Typical Lures, Novel Ways
In its preliminary an infection vector, the marketing campaign appears unexceptional, with risk actors utilizing socially engineered emails with business-oriented lures in messages peppered with phrases reminiscent of “orders” and “invoices.” The messages add a way of urgency by requesting an instantaneous response from recipients.
However as soon as a person takes the bait, the assault technique veers into the unconventional, the researchers discovered. Opening the malicious Excel attachment with a weak model of the spreadsheet app initiates communication with a malicious vacation spot that pushes further information, the primary of which is a closely obfuscated VBS file that makes use of variable names 100 characters lengthy. This provides “a layer of complexity to the evaluation and deobfuscation,” Khursale wrote.
This file in flip begins the obtain of a malicious JPG file, after which the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the picture file, decodes the DLL, and hundreds the malicious procedures from the decoded DLL.
After the PowerShell hundreds, there’s one other novel tactic: It executes the RegAsm.exe file — the first operate of which is usually related to registry read-write operations, Khursale famous. Nonetheless, within the assault context, the file’s function is to hold out malicious actions below the guise of a real operation, he stated. From right here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm course of.
Agent Tesla Malware in Motion
As soon as deployed, the spyware and adware RAT proceeds to steal information from a slew of browsers, mail shoppers, and FTP functions, sending it to a malicious vacation spot managed by risk actors. It additionally makes an attempt to deploy keyboard and clipboard hooks to watch all keystrokes and seize information copied by the person.
Particularly, Agent Tesla makes use of window hooking, a method used to watch occasion messages, mouse occasions, and keystrokes. When a person acts, the risk actor’s operate intercepts earlier than the motion happens, Khursale stated. The malware finally sends the exfiltrated information to a Telegram bot managed by the risk actor.
Zscaler included a complete checklist of indicators of compromise (IoCs) within the weblog submit — together with a listing of the Telegram URLs used for exfiltration; malicious URLS; numerous malicious Excel, VBS, JPG, and DLL information; and malicious executables — to assist determine if a system has been compromised. The submit additionally contains an in depth checklist of browsers and mail and FTP shoppers from which Agent Tesla makes an attempt to steal credentials to assist organizations stay vigilant.
