New Malware Campaign Evades AV Detection, Downloads Spyware

New Malicious Campaign Evades AV Detection, Downloads Spyware

Security researchers have uncovered a new malicious attack that involves well-known exploits with the purpose to circumvent security solutions. The campaign is spreading information stealers, or pieces of sophisticated spyware. Mais especificamente, attackers are spreading a sophisticated information-stealing Trojan known as Agent Tesla, as well as the Loki information stealer.

Agent Tesla Malicious Campaigns – atualização agosto 2019

De acordo com novos dados, the Agent Tesla malware is currently employing steganography in its latest malspam campaigns. Steganography is the practice of concealing a file, mensagem, imagem, or video within another file, mensagem, imagem, or video. De fato, steganography is an old trick in malware distribution, and it literally means hiding code within a regular image which in most cases may not be checked for malware.

Technical Details about the Sophisticated Attack, Evading AV Detection

Security researchers at Cisco Talos detectoua highly suspicious document that wasn’t picked up by common antivirus solutions”.

The attackers behind this new form of attack have deployed a well-known exploit chain. Contudo, it has been modified in such a way that it goes undetected by security solutions.

o Agent Tesla Trojan is designed to steal login information from several pieces of software, como o Google Chrome, Mozilla Firefox, Microsoft Outlook, entre outros. The Trojan can also capture screenshots, record webcams, and allow attackers to install additional malware on infected systems, os pesquisadores disseram.

The Trojan is also capable of performing other malicious activities such as monitoring and collecting keyboard inputs, system clipboard, screenshots tomada, and exfiltrating collected sensitive information. Contudo, the Agent Tesla is not the only piece of malware distributed in this campaign – Loki, another information stealer, is also dropped on victims’ machines.

Two Microsoft Word Exploits Abused: CVE-2017-0199 and CVE-2017-11882

As for the exploits that are used by the adversariestwo public exploits for Microsoft Word vulnerabilities CVE-2017-0199 e CVE-2017-11882 are used in the malicious attack scenario.

The CVE-2017-0199 exploit, em particular, estava used in attacks in 2017 when threat actors abused Microsoft Office files which to deliver several malware strains. The unique thing about the incidents is that they used a new strategy by exploiting a relatively new feature that was integrated into the Microsoft Office suite last year.

CVE-2017-11882 is another well-known Microsoft Office exploit which was detected in malicious campaigns in September this year, which were delivering the CobInt Trojan.

The .DOCX File and the RTF File

The current campaign, discovered and analyzed by Cisco Talos, begins with the download of a malicious Microsoft .DOCX file. The file has instructions to download a particular RTF file from the document. This is the activity which is undetected by antivirus products.

De acordo com os pesquisadores:

At the time the file was analyzed, it had almost no detections on the multi-engine antivirus scanning website VirusTotal. Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file.

The Rich Text Format, or RTF for short, is a proprietary document file format with published specification developed by Microsoft Corporation from 1987 until 2008 for cross-platform document interchange with Microsoft products.

RTF files do not support any macro language, but they do support Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects via the ‘\objectcontrol word. The user can link or embed an object from the same or different format into the RTF document.

Em outras palavras, it is possible for users to link or embed objects into the RTF file, but obfuscation needs to be added. It should also be noted that anything that the RTF file doesn’t recognize is usually ignored.

The researchers weren’t able to completely understand how the threat actor changed the exploit manually, or if they used a tool to produce the shellcode. “De qualquer jeito, this shows that the actor or their tools have [a] ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability.”

Security experts are also expecting to see this new technique included in other malicious campaigns delivering other strains of malware.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar