Attackers Exploit 6-Year-Old Microsoft Office Bug to Spread Spyware

Malicious attachments that exploit an RCE flaw from 2017 are propagating Agent Tesla via socially engineered emails and an evasive infection method.

Close-up of a human blue eye with a camera lens drawing superimposed around it
Source: Robert Brown via Alamy Stock Photo

Attackers are exploiting a 6-year-old Microsoft Office remote code execution (RCE) flaw to deliver spyware, in an email campaign weaponized by malicious Excel attachments and characterized by sophisticated evasion tactics.

Threat actors dangle lures relating to business activity in spam emails that deliver files that contain CVE-2017-11882, an RCE flaw that dates back to 2014 and can allow for system takeover, Zscaler revealed in a blog post published Dec. 19. The end goal of the attack is to load Agent Tesla, a remote access Trojan (RAT) and advanced keylogger first discovered in 2014, and exfiltrate credentials and other data from an infected system via a Telegram bot run by the attackers.

CVE-20170-11882 is a memory-corruption flaw found in the Equation Editor of Microsoft Office. An attacker who successfully exploits the flaw can run arbitrary code in the context of the current user and even take over the affected system if a user is logged on with administrator rights. Though the vulnerability has long been patched, older versions of Microsoft Office still in use may be vulnerable.

Despite being nearly a decade old, Agent Tesla remains a common weapon used by attackers and includes features such as clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different Web browsers.

The attack vector is unique in that it pairs a longstanding vulnerability with new complexity and evasion tactics that demonstrate adaption in attackers' infection methods, thus "making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape," Zscaler senior security researcher Kaivalya Khursale noted in the post.

Email-Based Cyberattack: Typical Lures, Novel Tactics

In its initial infection vector, the campaign seems unexceptional, with threat actors using socially engineered emails with business-oriented lures in messages peppered with words such as "orders" and "invoices." The messages add a sense of urgency by requesting an immediate response from recipients.

But once a user takes the bait, the attack method veers into the unconventional, the researchers found. Opening the malicious Excel attachment with a vulnerable version of the spreadsheet app initiates communication with a malicious destination that pushes additional files, the first of which is a heavily obfuscated VBS file that uses variable names 100 characters long. This adds "a layer of complexity to the analysis and deobfuscation," Khursale wrote.

This file in turn starts the download of a malicious JPG file, after which the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL.

After the PowerShell loads, there's another novel tactic: It executes the RegAsm.exe file — the primary function of which  is typically associated with registry read-write operations, Khursale noted. However, in the attack context, the file's purpose is to carry out malicious activities under the guise of a genuine operation, he said. From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process.

Agent Tesla Malware in Action

Once deployed, the spyware RAT proceeds to steal data from a slew of browsers, mail clients, and FTP applications, sending it to a malicious destination controlled by threat actors. It also attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.

Specifically, Agent Tesla uses window hooking, a technique used to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs, Khursale said. The malware ultimately sends the exfiltrated data to a Telegram bot controlled by the threat actor.

Zscaler included a comprehensive list of indicators of compromise (IoCs) in the blog post — including a list of the Telegram URLs used for exfiltration; malicious URLS; various malicious Excel, VBS, JPG, and DLL files; and malicious executables — to help identify if a system has been compromised. The post also includes an extensive list of browsers and mail and FTP clients from which Agent Tesla attempts to steal credentials to help organizations remain vigilant.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights