Attackers Exploit 6-Year-Old Microsoft Office Bug to Spread Spyware

We Keep you Connected

Attackers Exploit 6-Year-Old Microsoft Office Bug to Spread Spyware

Malicious attachments that exploit an RCE flaw from 2017 are propagating Agent Tesla via socially engineered emails and an evasive infection method.
December 20, 2023
Attackers are exploiting a 6-year-old Microsoft Office remote code execution (RCE) flaw to deliver spyware, in an email campaign weaponized by malicious Excel attachments and characterized by sophisticated evasion tactics.
Threat actors dangle lures relating to business activity in spam emails that deliver files that contain CVE-2017-11882, an RCE flaw that dates back to 2014 and can allow for system takeover, Zscaler revealed in a blog post published Dec. 19. The end goal of the attack is to load Agent Tesla, a remote access Trojan (RAT) and advanced keylogger first discovered in 2014, and exfiltrate credentials and other data from an infected system via a Telegram bot run by the attackers.
CVE-20170-11882 is a memory-corruption flaw found in the Equation Editor of Microsoft Office. An attacker who successfully exploits the flaw can run arbitrary code in the context of the current user and even take over the affected system if a user is logged on with administrator rights. Though the vulnerability has long been patched, older versions of Microsoft Office still in use may be vulnerable.
Despite being nearly a decade old, Agent Tesla remains a common weapon used by attackers and includes features such as clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different Web browsers.
The attack vector is unique in that it pairs a longstanding vulnerability with new complexity and evasion tactics that demonstrate adaption in attackers' infection methods, thus "making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape," Zscaler senior security researcher Kaivalya Khursale noted in the post.
In its initial infection vector, the campaign seems unexceptional, with threat actors using socially engineered emails with business-oriented lures in messages peppered with words such as "orders" and "invoices." The messages add a sense of urgency by requesting an immediate response from recipients.
But once a user takes the bait, the attack method veers into the unconventional, the researchers found. Opening the malicious Excel attachment with a vulnerable version of the spreadsheet app initiates communication with a malicious destination that pushes additional files, the first of which is a heavily obfuscated VBS file that uses variable names 100 characters long. This adds "a layer of complexity to the analysis and deobfuscation," Khursale wrote.
This file in turn starts the download of a malicious JPG file, after which the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL.
After the PowerShell loads, there's another novel tactic: It executes the RegAsm.exe file — the primary function of which  is typically associated with registry read-write operations, Khursale noted. However, in the attack context, the file's purpose is to carry out malicious activities under the guise of a genuine operation, he said. From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process.
Once deployed, the spyware RAT proceeds to steal data from a slew of browsers, mail clients, and FTP applications, sending it to a malicious destination controlled by threat actors. It also attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.
Specifically, Agent Tesla uses window hooking, a technique used to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs, Khursale said. The malware ultimately sends the exfiltrated data to a Telegram bot controlled by the threat actor.
Zscaler included a comprehensive list of indicators of compromise (IoCs) in the blog post — including a list of the Telegram URLs used for exfiltration; malicious URLS; various malicious Excel, VBS, JPG, and DLL files; and malicious executables — to help identify if a system has been compromised. The post also includes an extensive list of browsers and mail and FTP clients from which Agent Tesla attempts to steal credentials to help organizations remain vigilant.

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Threat Terrain of the Modern Factory: Survey of Programmable Assets and Robot Software
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
2023 Software Supply Chain Attack Report
The Need for a Software Bill of Materials
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.