Security researchers have uncovered a new malicious attack that involves well-known exploits with the purpose to circumvent security solutions. The campaign is spreading information stealers, or pieces of sophisticated spyware. More specifically, attackers are spreading a sophisticated information-stealing Trojan known as Agent Tesla, as well as the Loki information stealer.
Agent Tesla Malicious Campaigns – Update August 2019
According to new data, the Agent Tesla malware is currently employing steganography in its latest malspam campaigns. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. In fact, steganography is an old trick in malware distribution, and it literally means hiding code within a regular image which in most cases may not be checked for malware.
Technical Details about the Sophisticated Attack, Evading AV Detection
Security researchers at Cisco Talos detected “a highly suspicious document that wasn’t picked up by common antivirus solutions”.
The attackers behind this new form of attack have deployed a well-known exploit chain. However, it has been modified in such a way that it goes undetected by security solutions.
The Agent Tesla Trojan is designed to steal login information from several pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook, among others. The Trojan can also capture screenshots, record webcams, and allow attackers to install additional malware on infected systems, the researchers said.
The Trojan is also capable of performing other malicious activities such as monitoring and collecting keyboard inputs, system clipboard, taking screenshots, and exfiltrating collected sensitive information. However, the Agent Tesla is not the only piece of malware distributed in this campaign – Loki, another information stealer, is also dropped on victims’ machines.
Two Microsoft Word Exploits Abused: CVE-2017-0199 and CVE-2017-11882
As for the exploits that are used by the adversaries – two public exploits for Microsoft Word vulnerabilities CVE-2017-0199 and CVE-2017-11882 are used in the malicious attack scenario.
The CVE-2017-0199 exploit, in particular, was used in attacks in 2017 when threat actors abused Microsoft Office files which to deliver several malware strains. The unique thing about the incidents is that they used a new strategy by exploiting a relatively new feature that was integrated into the Microsoft Office suite last year.
CVE-2017-11882 is another well-known Microsoft Office exploit which was detected in malicious campaigns in September this year, which were delivering the CobInt Trojan.
The .DOCX File and the RTF File
The current campaign, discovered and analyzed by Cisco Talos, begins with the download of a malicious Microsoft .DOCX file. The file has instructions to download a particular RTF file from the document. This is the activity which is undetected by antivirus products.
According to the researchers:
At the time the file was analyzed, it had almost no detections on the multi-engine antivirus scanning website VirusTotal. Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file.
The Rich Text Format, or RTF for short, is a proprietary document file format with published specification developed by Microsoft Corporation from 1987 until 2008 for cross-platform document interchange with Microsoft products.
RTF files do not support any macro language, but they do support Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects via the ‘\object’ control word. The user can link or embed an object from the same or different format into the RTF document.
In other words, it is possible for users to link or embed objects into the RTF file, but obfuscation needs to be added. It should also be noted that anything that the RTF file doesn’t recognize is usually ignored.
The researchers weren’t able to completely understand how the threat actor changed the exploit manually, or if they used a tool to produce the shellcode. “Either way, this shows that the actor or their tools have [the] ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability.”
Security experts are also expecting to see this new technique included in other malicious campaigns delivering other strains of malware.