Recent cybersecurity threats have revealed that attackers are exploiting an aging vulnerability in Microsoft Office as a tactic within phishing campaigns. This method is being employed to disseminate a malware variant known as Agent Tesla.
The infection vector often involves decoy Excel files, which are typically embedded in messages that resemble invoices. These messages aim to mislead recipients into opening the files. When an unsuspecting user does so, the exploitation of CVE-2017-11882 (with a CVSS score of 7.8) is initiated, leading to memory corruption vulnerabilities in the Equation Editor of Microsoft Office. This flaw can enable remote code execution with the privileges of the user who opens the document.
Research from Zscaler ThreatLabz indicates this development builds upon findings from Fortinet FortiGuard Labs, which had reported similar phishing maneuvers leveraging the same security flaw to spread the malware. As security researcher Kaivalya Khursale noted, once a malicious attachment is downloaded and opened, it triggers communication with a harmful server and fetches additional files—bypassing any intermediary user actions.
The initial payload consists of a hidden Visual Basic Script, which subsequently downloads a malicious JPG file that houses a Base64-encoded DLL. This method of employing steganography for evasion has been corroborated by earlier reports from McAfee Labs in September 2023.
After the concealed DLL is extracted, it is injected into RegAsm.exe, an assembly registration tool in Windows, paving the way for the malware’s final act. Historically, this executable has also been manipulated to load other threats, such as the Quasar RAT.
Agent Tesla itself is a sophisticated .NET-based keylogger and remote access trojan that can siphon sensitive information from infected systems, subsequently relaying that data to a remote server.
Khursale emphasizes the necessity for organizations to stay vigilant against evolving cyber threats, highlighting the adaptive nature of threat actors in modifying their exploitation tactics. This situation underscores a broader trend in cybersecurity where older vulnerabilities resurface as targets; recently, a flaw in Oracle WebLogic Server (CVE-2020-14883) was also reported as being exploited by the 8220 Gang to distribute cryptocurrency miners.
Moreover, incidents of DarkGate malware have surged following its promotion as a malware-as-a-service (MaaS) earlier this year, a notable successor to the QakBot malware after its dismantling in August 2023. Zscaler’s analysis reveals the technology sector is particularly susceptible to DarkGate campaigns, with many domains associated with the malware being relatively new, suggesting a systematic approach by attackers to continually create and rotate affected domains.
Additionally, phishing attacks seem to extend to the hospitality sector, targeting businesses with booking-related emails that distribute information-stealer malware such as RedLine and Vidar Stealer, according to reports from Sophos. As highlighted by researchers Andrew Brandt and Sean Gallagher, initial contacts seem innocuous, solely providing textual communication designed to elicit a quick response from the targeted establishment.
Overall, this exposure illustrates the necessity for heightened cybersecurity awareness among businesses, as phishing attacks evolve in sophistication and execution, capitalizing on both human and technical vulnerabilities.
In a related trend, phishing efforts have also targeted social media users, particularly through fraudulent emails that purport to address “Copyright Infringement” complaints on Instagram. These schemes are engineered to acquire users’ two-factor authentication backup codes, enhancing the threat posed by phishing attacks. As Trustwave has reported, the data gathered through these tactics can facilitate account takeovers and are often sold on underground markets.
