Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware

Dec 21, 2023NewsroomVulnerability / Phishing Attack

Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla.

The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office’s Equation Editor that could result in code execution with the privileges of the user.

The findings, which come from Zscaler ThreatLabz, build on prior reports from Fortinet FortiGuard Labs, which detailed a similar phishing campaign that exploited the security flaw to deliver the malware.

“Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction,” security researcher Kaivalya Khursale said.

The first payload is an obfuscated Visual Basic Script, which initiates the download of a malicious JPG file that comes embedded with a Base64-encoded DLL file. This steganographic evasion tactic was previously also detailed by McAfee Labs in September 2023.

The concealed DLL is subsequently injected into RegAsm.exe, the Windows Assembly Registration Tool, to launch the final payload. It’s worth noting that the executable has also been abused to load Quasar RAT in the past.

Agent Tesla is a .NET-based advanced keylogger and remote access trojan (RAT) that’s equipped to harvest sensitive information from compromised hosts. The malware then communicates with a remote server to extract the collected data.

“Threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape,” Khursale said.

The development comes as old security flaws become new attack targets for threat actors. Earlier this week, Imperva revealed that a three-year-old flaw in Oracle WebLogic Server (CVE-2020-14883, CVSS score: 7.2) is being utilized by the 8220 Gang to deliver cryptocurrency miners.

It also coincides with an uptick in DarkGate malware activity after it began to be advertised earlier this year as a malware-as-a-service (MaaS) offering and as a replacement for QakBot following its takedown back in August 2023.

“The technology sector is the most impacted by DarkGate attack campaigns,” Zscaler said, citing customer telemetry data.

“Most DarkGate domains are 50 to 60 days old, which may indicate a deliberate approach where threat actors create and rotate domains at specific intervals.”

Phishing campaigns have also been discovered targeting the hospitality sector with booking-related email messages to distribute information stealer malware such as RedLine Stealer or Vidar Stealer, according to Sophos.

“They initially contact the target over email that contains nothing but text, but with subject matter a service-oriented business (like a hotel) would want to respond to quickly,” researchers Andrew Brandt and Sean Gallagher said.

“Only after the target responds to the threat actor’s initial email does the threat actor send a followup message linking to what they claim is details about their request or complaint.”

Stealers and trojans notwithstanding, phishing attacks have further taken the form of bogus Instagram “Copyright Infringement” emails to steal users’ two-factor authentication (2FA) backup codes via fraudulent web pages with an aim to bypass account protections, a scheme called Insta-Phish-A-Gram.

“The data attackers retrieve from this kind of phishing attack can be sold underground or used to take over the account,” the cybersecurity firm said.