The Agent Tesla malware is among the most popular tools used by hackers in order to launch global phishing campaigns. The analysis shows that the CVE-2017-11882 vulnerability is being used in combination with malware documents in order to lead to the initial payload file.
Agent Tesla Malware Delivered Via CVE-2017-11882 Vulnerability, Leads To Global Phishing Campaigns
Computer hackers have been found to use the Agent Tesla malware which in its most base form is a keylogger using infected documents. The criminal collective is using phishing strategies in order to distribute the files. The technique in question relies on creating files in the most popular document formats an embedding inside them. The Agent Tesla malware can be acquired from the hacker underground markets in a subscription package allowing the hackers to customize and edit important parameters in accordance with the prescribed target users.
Criminal collectives have been found to do so by leveraging a vulnerability tracked in the CVE-2017-11882 advisory. This is a bug in the equation editor that is aprt of the Office programs used to view the documents. When these files are opened by the users and if their programs are not updated properly the applications will download a remote file and execute it. This is the first-stage downloader which will lead to the Agent Tesla infection.
The Agent Tesla malware exhibits features features that are very similar to some popular Trojans including the ability to enable constant surveillance of the victims. This is done by probing the system for any devices such as microphones and webcams. This will allow the main engine to take screenshots, record video and audio and also spy on the activities of the users in real-time. All data will be recorded and transmitted to the hackers using the made persistent connection.
Agent Tesla however has been found to exhibit an unusual technique – it will use an email address that will communicate commands and receive data. The engine will use built-in mechanisms in order to send out the required information. This also includes the use of different protocols – their use will likely bypass firewalls and intrusion detection systems.