Uses complex obfuscation techniques to avoid detection

Oct 15, 2018 20:06 GMT  ·  By

A new malware campaign discovered by the Cisco Talos Intelligence Group uses RTF documents to exploit the CVE-2017-11882 Microsoft Office Memory Corruption Vulnerability to distribute the Agent Tesla data stealer RAT malware.

To be more exact adversaries behind this malware campaign are exploiting the security issue to "run arbitrary code in the context of the current user by failing to properly handle objects in memory", as detailed in the Common Vulnerabilities and Exposures database.

The bad actors exploit Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 using maliciously crafted RTF documents.

RTF is a Microsoft proprietary document format designed to be multi-platform which, although not having support for macros or scripts, allows attackers to use Object Linking and Embedding (OLE) objects or Macintosh Edition Manager subscriber objects depending on the platform it targets to drop malware payload on the victim's machine.

This campaign is one of many others using the CVE-2017-11882 exploitation technique to spread a number of different malware samples using the same infrastructure, with Agent Tesla, Loki, and Gamarue being the most notable.

The adversaries who control the Agent Tesla spreading malware campaign use a widely known exploit chain, previously seen in the FormBook malware campaign which exploited the CVE-2017-0199 vulnerability but altered in such a way so that no antivirus solution can detect it.

The Agent Tesla malware campaign exploits the CVE-2017-11882 vulnerability using a maliciously crafted RTF document with zero detections on VirusTotal 

According to Cisco Talos' research team, the Agent Tesla Remote Access Trojan can collect and exfiltrate login information from multiple applications (e.g., Google Chrome, Mozilla Firefox, Microsoft Outlook), as well as record video, capture screenshots, and install other malicious tools sent by the command-and-control (C&C) server.

Other applications Agent Tesla is pre-configured to steal passwords from are Internet Explorer, Yandex, Opera, Thunderbird, IncrediMail, Eudora, Filezilla, WinScp, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock, and DynDNS.

The actors behind this malware campaign make use of custom designed exploits and obfuscated payloads wrapped within RTF documents, chosen for their complexity as an additional level of camouflage against anti-malware solutions.

"Either way, this shows that the actor or their tools have ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability," as Cisco Talos concludes post. "This is a technique that could very well be used to deploy other malware in a stealthy way in the future."

Photo Gallery (2 Images)

Agent Tesla
ThreatGrid process timeline
Open gallery