Threat Actors Exploit Microsoft Office Vulnerability to Spread Agent Tesla Malware
Reading Time: 3 Minutes
Threat actors have been observed exploiting an old Microsoft Office vulnerability, known as CVE-2017-11882, to propagate the Agent Tesla malware. This vulnerability, with a CVSS score of 7.8, has become a focal point for phishing campaigns aimed at spreading the spyware, which is designed to clandestinely collect keystrokes, system clipboard data, screenshots, and credentials from infected systems.
First discovered by experts in June 2018, Agent Tesla has been in circulation since 2014, initially distributed through a malicious Microsoft Word document containing an auto-executable VBA Macro. Once users enable the macro, the spyware is installed on their machines, allowing threat actors to conduct covert surveillance and data theft.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Recent phishing campaigns have seen attackers employing spam messages with keywords like “orders” and “invoices” to entice recipients into opening weaponized Excel documents, furthering the spread of the malware.
The CVE-2017-11882 flaw, a memory-corruption issue affecting all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365, poses a significant risk. This vulnerability can be triggered on all versions of the Windows operating system, including the latest Microsoft Windows 10 Creators Update. Specifically, the flaw affects the MS Office component EQNEDT32.EXE, responsible for the insertion and editing of equations in documents, and could be exploited by threat actors to execute malicious code in the context of the logged-in user.
Trending: Recon Tool: PassDetective
Despite being patched in 2017, threat actors continue to exploit this vulnerability in the wild, with a recent surge in attacks leveraging the issue.
Zscaler’s report highlights the intricate tactics employed by threat actors to deliver Agent Tesla, emphasizing the need for organizations to remain vigilant and informed about evolving cyber threats to protect their digital infrastructure.
The obfuscated VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation process.
Subsequently, the obfuscated VBS file downloads a malicious JPG file containing a Base64-encoded DLL.
Subsequently, the obfuscated VBS file downloads a malicious JPG file containing a Base64-encoded DLL.
Upon downloading the JPG file, the VBS file triggers a PowerShell executable, which retrieves the Base64-encoded DLL from the image, decodes it, and executes the malicious code embedded within the DLL.
“In addition to staying on top of these threats, Zscaler’s ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community,” concludes the report, underscoring the ongoing efforts to combat emerging cyber threats.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: securityaffairs.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
