An ancient Microsoft Excel vulnerability is being hijacked to spread malware
Hackers have been observed targeting users running outdated Office programs, aiming to deliver an information-stealing malware called Agent Tesla.
This is what cybersecurity researchers Zscaler ThreatLabs say, who recently developed a phishing campaign in which an Excel document is distributed. If the victim is using an older version of Excel, the document can exploit a memory corruption vulnerability in the Equation Editor, tracked as CVE-2017-11882.
This allows it to execute code with user rights, but without further user interaction or permission.
“Once a user downloads a malicious attachment and opens it and their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and continues to download additional files without any further user interaction required,” says security researcher Kaivalya Khursale.
The infection involves multiple steps, with the first step being an obfuscated Visual Basic script. It downloads a malicious JPG file containing a Base64 encoded DLL file. That file is later injected into the Windows Assembly Registration Tool (RegAsm.exe), which launches the final payload: Agent Tesla.
Advanced keylogger
In his writing, The HackerNews describes Agent Tesla as a “sophisticated keylogger and remote access trojan (RAT)” that can collect sensitive information. After collecting the required information, Agent Tesla can communicate with the remote C2 server and silently extract the data.
“Threat actors are constantly adapting infection methods, making it imperative for organizations to stay abreast of evolving cyber threats to protect their digital landscape,” said Khursale.
Both the infosteal malware and the Excel vulnerability seem to be extremely popular these days. A report from Cofense released in late October states that the most common malware linked to phishing in the third quarter was the Agent Tesla keylogger. Furthermore, the same source claims that the CVE-2017-11882 exploit is the most common way to infect your computer with these forms of malware.