Attackers are weaponizing an outdated Microsoft Workplace vulnerability as a part of phishing campaigns to distribute a pressure of malware referred to as Agent Tesla.
The an infection chains leverage decoy Excel paperwork hooked up in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS rating: 7.8), a reminiscence corruption vulnerability in Workplace’s Equation Editor that might end in code execution with the privileges of the person.
The findings, which come from Zscaler ThreatLabz, construct on prior reviews from Fortinet FortiGuard Labs, which detailed the same phishing marketing campaign that exploited the security flaw to ship the malware.
“As soon as a person downloads a malicious attachment and opens it, if their model of Microsoft Excel is susceptible, the Excel file initiates communication with a malicious vacation spot and proceeds to obtain extra information with out requiring any additional person interplay,” security researcher Kaivalya Khursale mentioned.
The primary payload is an obfuscated Visible Primary Script, which initiates the obtain of a malicious JPG file that comes embedded with a Base64-encoded DLL file. This steganographic evasion tactic was beforehand additionally detailed by McAfee Labs in September 2023.
The hid DLL is subsequently injected into RegAsm.exe, the Home windows Meeting Registration Instrument, to launch the ultimate payload. It is price noting that the executable has additionally been abused to load Quasar RAT previously.
Agent Tesla is a .NET-based superior keylogger and distant entry trojan (RAT) that is geared up to reap delicate info from compromised hosts. The malware then communicates with a distant server to extract the collected knowledge.
“Risk actors continuously adapt an infection strategies, making it crucial for organizations to remain up to date on evolving cyber threats to safeguard their digital panorama,” Khursale mentioned.
The event comes as outdated security flaws change into new assault targets for menace actors. Earlier this week, Imperva revealed {that a} three-year-old flaw in Oracle WebLogic Server (CVE-2020-14883, CVSS rating: 7.2) is being utilized by the 8220 Gang to ship cryptocurrency miners.
It additionally coincides with an uptick in DarkGate malware exercise after it started to be marketed earlier this 12 months as a malware-as-a-service (MaaS) providing and as a alternative for QakBot following its takedown again in August 2023.
“The know-how sector is essentially the most impacted by DarkGate assault campaigns,” Zscaler mentioned, citing buyer telemetry knowledge.
“Most DarkGate domains are 50 to 60 days outdated, which can point out a deliberate strategy the place menace actors create and rotate domains at particular intervals.”
Phishing campaigns have additionally been found concentrating on the hospitality sector with booking-related e-mail messages to distribute info stealer malware corresponding to RedLine Stealer or Vidar Stealer, based on Sophos.
“They initially contact the goal over e-mail that comprises nothing however textual content, however with material a service-oriented enterprise (like a lodge) would need to reply to rapidly,” researchers Andrew Brandt and Sean Gallagher mentioned.
“Solely after the goal responds to the menace actor’s preliminary e-mail does the menace actor ship a followup message linking to what they declare is particulars about their request or grievance.”
Stealers and trojans however, phishing assaults have taken the type of bogus Instagram “Copyright Infringement” emails to steal customers’ two-factor authentication (2FA) backup codes through fraudulent net pages with an goal to bypass account protections, a scheme referred to as Insta-Phish-A-Gram.
“The information attackers retrieve from this type of phishing assault may be offered underground or used to take over the account,” the cybersecurity agency mentioned.
