A new cyber-attack technique, which includes tampering with a well-known exploit chain to blind antivirus solutions, has been uncovered which is spreading information-stealing malware.
Researchers from Cisco Talos said on earlier this month that the new malware campaign is spreading Agent Tesla, a virulent form of spyware.
The Trojan is able to monitor and collects the victim’s keyboard inputs, system clipboard, take screenshots, and exfiltrate credentials belonging to of a variety of software installed on a victim’s machine. This includes the Google Chrome and Mozilla Firefox browsers, as well as the Microsoft Outlook email client.
Alongside Agent Tesla, the campaign is also spreading Loki, another information and credential stealer.
While spyware and surveillance malware is often spread covertly through phishing attacks, bundled as Potentially Unwanted Programs (PUP) with other software, and downloaded through malicious links, the latest wave of attacks has revealed something unusual.
The threat actors behind the campaign have tampered with a well-known exploit chain and “modified it in such a way so that antivirus solutions don’t detect it,” according to Talos.
The hackers have created an infrastructure leveraging CVE-2017-11882 and CVE-2017-0199 — a remote code execution flaw in Microsoft Office and a memory handling bug which permits arbitrary code execution — to distribute Agent Tesla and Loki.
However, the infrastructure is also being used to distribute other forms of malware including the Gamarue Trojan, which has been connected to botnets in the past.
The attack begins with the download of a malicious Microsoft.DOCX file which contains instructions to download an RTF file from inside the document. It is this tweak in the exploit chain which goes unnoticed by antivirus solutions.
“At the time the file was analysed, it had almost no detections on the multi-engine antivirus scanning website VirusTotal,” the researchers say. “Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file.”
The RTF file format, developed by Microsoft, is intended to act as a cross-platform document interchange.
Some Arc Systems customers are already protected by this new attack. MIMECAST is the perfect solution to protecting you from all sorts of cyber-related attacks.
Mimecast provides critical defence against spam, commodity, as well as complex targeted email-borne attacks. With their comprehensive email security, Mimecast is designed to address the most complex email threats, providing a level of protection allowing you to focus on what is most important – your organisation.
Watch the video below to show how Mimecast are protecting business through their software and if you require further information on how Arc Systems can help, drop us an email at firstname.lastname@example.org.