As part of a phishing campaign, attackers are exploiting old Microsoft Office vulnerabilities to spread malware called Agent Tesla.
The infection chain utilizes decoy Excel files attached to invoice-themed messages to trick potential targets into opening them and activating an exploit for CVE-2017-11882 (CVSS Score: 7.8), a memory corruption vulnerability in the Office Equation Editor that may Will cause the code to execute with user privileges.
Zscaler ThreatLabz’s findings build on previous reports from Fortinet’s FortiGuard Labs, which detailed similar phishing campaigns that exploited security flaws to spread malware.
Security researcher Kaivalya Khursale said: “Once a user downloads the malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with the malicious target and continues to download other files without any further user interaction. “
The first payload is an obfuscated Visual Basic script that initiates the download of a malicious JPG file embedded in a Base64-encoded DLL file. McAfee Labs previously detailed this steganography avoidance strategy in September 2023.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
The hidden DLL is then injected into the Windows component registration tool RegAsm.exe to launch the final payload. It is worth noting that this executable has been abused in the past to load Quasar RAT.
Agent Tesla is an advanced .NET-based keylogger and remote access Trojan (RAT) capable of obtaining sensitive information from infected hosts. The malware then communicates with the remote server to extract the collected data.
“Threat actors are constantly adapting their infection methods, so organizations must stay up to date on evolving cyber threats to protect their digital environments,” said Khursale.
The development comes at a time when old security flaws are becoming new targets for threat actors. Earlier this week, Imperva revealed that 8220 Gang exploited a three-year-old flaw (CVE-2020-14883, CVSS score: 7.2) in Oracle WebLogic Server to deliver cryptocurrency miners.
Meanwhile, DarkGate malware activity has increased, with DarkGate beginning to be promoted as a malware-as-a-service (MaaS) product earlier this year and as a replacement for QakBot after it was removed from shelves in August 2023.
“The technology industry was most affected by the DarkGate campaign,” Zscaler said, citing customer telemetry data.
“The majority of DarkGate domains are 50 to 60 days old, which may indicate that threat actors are intentionally creating and rotating domains at specific intervals.”
According to Sophos, it has also seen phishing campaigns targeting the hotel industry, spreading information-stealing malware such as RedLine Stealer or Vidar Stealer through booking-related emails.
Researchers Andrew Brandt and Sean Gallagher said: “They initially contacted targets via email, which only contained text, but with the subject of a service-based business such as a hotel, they wanted a quick response.”
“Only after a target responds to the threat actor’s initial email, the threat actor sends a follow-up message linking to what they claim are details about their request or complaint.”
Despite the existence of stealers and trojans, phishing attacks take the form of fake Instagram “copyright infringement” emails that steal users’ two-factor authentication (2FA) backup codes via fraudulent web pages designed to bypass account protection. The scheme is called Insta-phishing.
“The information attackers retrieve from such phishing attacks can be sold underground or used to take over accounts,” said cybersecurity firm Trustwave.
