December 21, 2023 at 02:45AM
Attackers are utilizing an old Microsoft Office vulnerability in phishing campaigns to distribute Agent Tesla malware. The infection chains leverage decoy Excel documents in invoice-themed messages to trick targets into opening them. Once downloaded, the malware initiates communication with a malicious destination to download additional files. Organizations must stay updated on evolving cyber threats to safeguard their digital landscape.
From the meeting notes, here are the key takeaways:
– Attackers are exploiting an old Microsoft Office vulnerability (CVE-2017-11882) as part of phishing campaigns to distribute a strain of malware called Agent Tesla. This malware is a .NET-based advanced keylogger and remote access trojan (RAT) that can extract sensitive information from compromised hosts.
– The infection method involves decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activating the exploitation of the vulnerability.
– Once the malicious attachment is opened, it initiates communication with a malicious destination and downloads additional files without requiring further user interaction. The attack chain involves obfuscated Visual Basic Script, a malicious JPG file with an embedded Base64-encoded DLL, and injection of the concealed DLL into RegAsm.exe to launch the final payload.
– It is crucial for organizations to stay updated on evolving cyber threats to safeguard their digital landscape, as threat actors constantly adapt infection methods.
– In addition to the Microsoft Office vulnerability, other old security flaws are also being utilized by threat actors, such as a three-year-old flaw in Oracle WebLogic Server (CVE-2020-14883) being exploited by the 8220 Gang to deliver cryptocurrency miners.
– DarkGate malware activity has increased after it began to be advertised earlier this year as a malware-as-a-service (MaaS) offering and as a replacement for QakBot following its takedown back in August 2023.
– Phishing campaigns have targeted various sectors, including the hospitality sector, with booking-related email messages to distribute information stealer malware, and have also taken the form of bogus Instagram “Copyright Infringement” emails to steal users’ two-factor authentication (2FA) backup codes via fraudulent web pages – a scheme called Insta-Phish-A-Gram.
These insights highlight the evolving tactics of threat actors and the importance for organizations to stay vigilant in the face of phishing attacks and malware exploitation.