Pathogen info decoy for a remote access trojan

Indian rupee INR sign made of golden numbers. 3D rendering

Agent Tesla malware has been deployed under cover of Covid-19-themed phishing campaigns to exploit two high impact vulnerabilities found in Microsoft Office in 2017, security researchers have discovered.

The remote access trojan (RAT) was smuggled inside attachments with double extension executables like ZIP and RAR, according to a blog post published by Quick Heal Security Labs on April 24.

Aniruddha Dolas, a researcher at the Indian cybersecurity firm who authored the post, outlined how three campaign variants deployed payloads to capture keystrokes, take screenshots, and dump browser passwords, then exfiltrated this data to an e-mail server.

Stolen data could include financial credentials, screenshots, and email and social media credentials, said Himanshu Dubey, director of Quick Heal. “This data can later be used for digital crimes, including financial crimes,” he told The Daily Swig.

In the corporate sphere, attackers could abuse stolen information like “trade secrets, customer data, [and] client information […] to extort money […] sell trade secrets to a competitor, or malign their reputation.”

Office exploits

Two of the three variants examined by researchers exploited a stack-based buffer overflow vulnerability present in the Microsoft Equation editor tool in unpatched versions of Microsoft Office 2016 and older (CVE-2017-11882).

Hidden inside attachments titled either ‘COVID 19 NEW ORDER FACE MASKS.doc.rtf’ or “COVID-19 Supplier”, the payload performed code injection in the windows process RegAsm.exe and relayed stolen data back to the command and control server.

The other variant analysed – associated with RTF files called ‘COVID-19 SUSPECTED AFFECTED VESSEL.doc’ or ‘COVID-19 measures for FAIRCHEM STEED, Voyage (219152).doc’ – contained an OLE2Link object that exploited a remote code execution vulnerability, also impacting Microsoft Office 2016 and older (CVE-2017-8570).

The winword.exe process then executed an embedded .sct file containing code that executed PowerShell.exe, which downloaded and executed a payload from a remote server.

Agent Tesla, which was deployed in another recent phishing campaign, first emerged in 2014 and is written in Microsoft’s .Net language.

Would-be cyber-villains can buy a subscription license from the official Agent Tesla website.

In the blog post, Aniruddha Dolas said users should “avoid opening attachments & clicking on web links in unsolicited emails.”

Dubey added that users could further mitigate risks with multi-factor authentication, employee awareness training, and keeping “systems and software updated with latest patches applied.”

RELATED EU calls for ceasefire on cyber-attacks exploiting coronavirus pandemic