Attackers are weaponizing an outdated Microsoft Office vulnerability as section of phishing campaigns to distribute a pressure of malware identified as Agent Tesla.
The infection chains leverage decoy Excel documents connected in bill-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office’s Equation Editor that could final result in code execution with the privileges of the consumer.
The results, which come from Zscaler ThreatLabz, make on prior studies from Fortinet FortiGuard Labs, which thorough a very similar phishing marketing campaign that exploited the security flaw to provide the malware.
“As soon as a user downloads a malicious attachment and opens it, if their variation of Microsoft Excel is susceptible, the Excel file initiates interaction with a malicious desired destination and proceeds to down load extra documents with no necessitating any additional consumer interaction,” security researcher Kaivalya Khursale stated.
The very first payload is an obfuscated Visible Basic Script, which initiates the down load of a destructive JPG file that comes embedded with a Base64-encoded DLL file. This steganographic evasion tactic was beforehand also in depth by McAfee Labs in September 2023.
Approaching WEBINAR Beat AI-Run Threats with Zero Have faith in – Webinar for Security Industry experts
Common security actions will never cut it in present day earth. It really is time for Zero Have faith in Security. Safe your info like by no means in advance of.
Be part of Now
The hid DLL is subsequently injected into RegAsm.exe, the Windows Assembly Registration Resource, to launch the last payload. It can be value noting that the executable has also been abused to load Quasar RAT in the past.
Agent Tesla is a .NET-dependent highly developed keylogger and distant access trojan (RAT) that’s equipped to harvest sensitive data from compromised hosts. The malware then communicates with a distant server to extract the gathered data.
“Threat actors continuously adapt infection techniques, producing it very important for organizations to remain up to date on evolving cyber threats to safeguard their electronic landscape,” Khursale explained.
The advancement arrives as previous security flaws come to be new attack targets for menace actors. Earlier this week, Imperva unveiled that a a few-year-outdated flaw in Oracle WebLogic Server (CVE-2020-14883, CVSS rating: 7.2) is getting used by the 8220 Gang to produce cryptocurrency miners.
It also coincides with an uptick in DarkGate malware activity after it began to be marketed previously this calendar year as a malware-as-a-support (MaaS) supplying and as a alternative for QakBot pursuing its takedown again in August 2023.
“The technology sector is the most impacted by DarkGate attack strategies,” Zscaler mentioned, citing purchaser telemetry knowledge.
“Most DarkGate domains are 50 to 60 times aged, which could indicate a deliberate strategy wherever danger actors produce and rotate domains at distinct intervals.”
Phishing strategies have also been found targeting the hospitality sector with reserving-connected email messages to distribute facts stealer malware these kinds of as RedLine Stealer or Vidar Stealer, according to Sophos.
“They originally contact the concentrate on in excess of email that incorporates almost nothing but text, but with issue subject a support-oriented organization (like a resort) would want to react to rapidly,” researchers Andrew Brandt and Sean Gallagher stated.
“Only soon after the concentrate on responds to the risk actor’s preliminary email does the risk actor mail a followup information linking to what they claim is particulars about their request or criticism.”
Stealers and trojans notwithstanding, phishing attacks have taken the form of bogus Instagram “Copyright Infringement” e-mail to steal users’ two-factor authentication (2FA) backup codes via fraudulent web webpages with an purpose to bypass account protections, a plan referred to as Insta-Phish-A-Gram.
“The data attackers retrieve from this type of phishing attack can be offered underground or made use of to just take about the account,” the cybersecurity company claimed.
Identified this report appealing? Comply with us on Twitter and LinkedIn to read additional exceptional written content we publish.
Some pieces of this post are sourced from: