Attackers are weaponizing an outdated Microsoft Workplace vulnerability as a part of phishing campaigns to distribute a pressure of malware known as Agent Tesla.
The an infection chains leverage decoy Excel paperwork connected in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS rating: 7.8), a reminiscence corruption vulnerability in Workplace’s Equation Editor that would end in code execution with the privileges of the consumer.
The findings, which come from Zscaler ThreatLabz, construct on prior studies from Fortinet FortiGuard Labs, which detailed a related phishing marketing campaign that exploited the safety flaw to ship the malware.
“As soon as a consumer downloads a malicious attachment and opens it, if their model of Microsoft Excel is susceptible, the Excel file initiates communication with a malicious vacation spot and proceeds to obtain further recordsdata with out requiring any additional consumer interplay,” safety researcher Kaivalya Khursale stated.
The primary payload is an obfuscated Visible Primary Script, which initiates the obtain of a malicious JPG file that comes embedded with a Base64-encoded DLL file. This steganographic evasion tactic was beforehand additionally detailed by McAfee Labs in September 2023.
From USER to ADMIN: Be taught How Hackers Achieve Full Management
Uncover the key techniques hackers use to change into admins, tips on how to detect and block it earlier than it is too late. Register for our webinar in the present day.
The hid DLL is subsequently injected into RegAsm.exe, the Home windows Meeting Registration Device, to launch the ultimate payload. It is value noting that the executable has additionally been abused to load Quasar RAT previously.
Agent Tesla is a .NET-based superior keylogger and distant entry trojan (RAT) that is geared up to reap delicate info from compromised hosts. The malware then communicates with a distant server to extract the collected knowledge.
“Menace actors continually adapt an infection strategies, making it crucial for organizations to remain up to date on evolving cyber threats to safeguard their digital panorama,” Khursale stated.
The event comes as outdated safety flaws change into new assault targets for menace actors. Earlier this week, Imperva revealed {that a} three-year-old flaw in Oracle WebLogic Server (CVE-2020-14883, CVSS rating: 7.2) is being utilized by the 8220 Gang to ship cryptocurrency miners.
It additionally coincides with an uptick in DarkGate malware exercise after it started to be marketed earlier this yr as a malware-as-a-service (MaaS) providing and as a alternative for QakBot following its takedown again in August 2023.
“The know-how sector is essentially the most impacted by DarkGate assault campaigns,” Zscaler stated, citing buyer telemetry knowledge.
“Most DarkGate domains are 50 to 60 days outdated, which can point out a deliberate method the place menace actors create and rotate domains at particular intervals.”
Phishing campaigns have additionally been found concentrating on the hospitality sector with booking-related electronic mail messages to distribute info stealer malware comparable to RedLine Stealer or Vidar Stealer, in accordance with Sophos.
“They initially contact the goal over electronic mail that incorporates nothing however textual content, however with subject material a service-oriented enterprise (like a lodge) would wish to reply to rapidly,” researchers Andrew Brandt and Sean Gallagher stated.
“Solely after the goal responds to the menace actor’s preliminary electronic mail does the menace actor ship a followup message linking to what they declare is particulars about their request or criticism.”
Stealers and trojans however, phishing assaults have additional taken the type of bogus Instagram “Copyright Infringement” emails to steal customers’ two-factor authentication (2FA) backup codes by way of fraudulent internet pages with an purpose to bypass account protections, a scheme known as Insta-Phish-A-Gram.
“The information attackers retrieve from this type of phishing assault might be bought underground or used to take over the account,” the cybersecurity agency stated.