Attackers are taking advantage of a long-standing vulnerability in Microsoft Office to launch phishing campaigns and spread the Agent Tesla malware. This malware, active since 2014 [3], is a spyware that collects sensitive information from infected systems. Despite being patched in 2017 [3], threat actors continue to exploit this flaw [3]. In addition to this campaign [6], other security flaws are also being exploited, highlighting the need for organizations to stay vigilant.
Description
Attackers are exploiting a 6-year-old Microsoft Office vulnerability (CVE-2017-11882) to target users with a phishing campaign that spreads the Agent Tesla malware. This malware acts as a spyware, collecting keystrokes [3], screenshots [3], and credentials from infected systems [3]. The campaign involves sending spam messages with weaponized Excel documents, tricking recipients into opening them and activating the vulnerability [6]. Once the document is opened [4], the malware downloads additional files [3] [6], including a heavily obfuscated Visual Basic Script (VBS) file and a malicious JPG file containing a Base64-encoded DLL [1] [6]. The DLL fetches the Agent Tesla payload and injects it into the Windows tool RegAsm process [3]. Agent Tesla is an advanced keylogger and remote access trojan (RAT) that can harvest sensitive information and communicate with a remote server [2] [4] [5] [6] [8]. It is the most prevalent malware associated with phishing [5] [8].
Furthermore, other cybersecurity threats have been identified [2]. Hackers are exploiting an old Microsoft Excel vulnerability to spread the Agent Tesla malware through phishing campaigns [1] [2] [6] [7]. These campaigns use decoy Excel documents attached to invoice-themed messages to trick users into opening them and activate the exploitation of CVE-2017-11882 [2], a memory corruption vulnerability in Office’s Equation Editor [2] [5] [7] [8]. The malware is delivered through a series of payloads [2], including an obfuscated Visual Basic Script [1] [2] [5] [6] [8], a malicious JPG file with a Base64-encoded DLL file [1] [2] [3] [5] [6] [8], and the final payload launched through RegAsm.exe [2]. Agent Tesla is a .NET-based keylogger and remote access trojan that harvests sensitive information and communicates with a remote server [2] [4] [5] [6] [8].
In addition, threat actors are exploiting a three-year-old flaw in Oracle WebLogic Server to deliver cryptocurrency miners [2]. The 8220 Gang has been using this vulnerability to their advantage. The DarkGate malware has also been impacting the technology sector [4], with threat actors creating and rotating domains at specific intervals [4]. Phishing campaigns have been observed in the hospitality sector [6], distributing information stealer malware like RedLine Stealer and Vidar Stealer [6]. Additionally, phishing attacks have taken the form of Instagram “Copyright Infringement” emails [6], aiming to steal users’ two-factor authentication backup codes [2] [4] [6].
Conclusion
To combat these threats [6], it is crucial for organizations to implement Zero Trust Security and stay updated on evolving cyber threats. By adopting a Zero Trust approach, organizations can minimize the risk of unauthorized access and protect their digital landscape. It is also important to remain vigilant and educate users about the dangers of phishing campaigns. By staying informed and implementing robust security measures, organizations can mitigate the impact of these cybersecurity threats and safeguard their sensitive information.
References
[1] https://www.darkreading.com/cloud-security/attackers-exploit-microsoft-office-bug-spyware
[2] https://owasp.or.id/2023/12/21/hackers-exploiting-old-ms-excel-vulnerability-to-spread-agent-tesla-malware/
[3] https://securityaffairs.com/156246/cyber-crime/agent-tesla-phishing-cve-2017-11882.html
[4] https://www.motorblog.com.uy/en/noticias/phishing-campaigns-exploit-old-vulnerabilities-to-distribute-malware/367896/
[5] https://www.techradar.com/pro/security/an-ancient-microsoft-excel-vulnerability-is-being-hijacked-to-spread-malware
[6] https://thehackernews.com/2023/12/hackers-exploiting-old-ms-excel.html
[7] https://cyber.vumetric.com/security-news/2023/12/21/hackers-exploiting-ms-excel-vulnerability-to-spread-agent-tesla-malware/
[8] https://telegraph247.com/tech/an-old-microsoft-excel-vulnerability-is-being-hijacked-to-spread-malware/
