December 20, 2023 at 11:08AM
Attackers exploit a 6-year-old Microsoft Office flaw, CVE-2017-11882, in an email campaign delivering spyware via malicious Excel attachments. Zscaler revealed that the end goal is to load Agent Tesla, a remote access Trojan, in a unique attack vector that pairs a longstanding vulnerability with new complexity and evasion tactics. Organizations are urged to stay updated on evolving cyber threats.
The meeting notes highlight a sophisticated cyberattack leveraging a 6-year-old Microsoft Office remote code execution (RCE) flaw, CVE-2017-11882, to deliver spyware. The attackers use email campaigns with malicious Excel attachments to exploit the vulnerability, ultimately deploying Agent Tesla, a remote access Trojan (RAT) and keylogger. This attack includes novel evasion tactics and complexity, making it crucial for organizations to stay updated on evolving cyber threats.
The email-based cyberattack begins with socially engineered emails containing business-related lures such as “orders” and “invoices,” creating a sense of urgency for recipients. Once the bait is taken, the attack veers into unconventional territory. The malicious Excel attachment initiates communication with a malicious destination, leading to the download of obfuscated VBS and JPG files, followed by the execution of PowerShell and RegAsm.exe to fetch and inject the Agent Tesla payload.
Upon deployment, Agent Tesla steals data from various applications, deploys keyboard and clipboard hooks to monitor keystrokes and copied data, and sends the exfiltrated data to a malicious destination via a Telegram bot. Zscaler has provided a comprehensive list of indicators of compromise (IoCs) to help organizations identify if a system has been compromised.
Overall, the notes emphasize the importance of organizations remaining vigilant and updated on evolving cyber threats to safeguard their digital landscape.