Security News New Technique Recycles Exploit Chain to Keep Antivirus Silent

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/new-technique-recycles-exploit-chain-to-keep-antivirus-silent/

In a new malware campaign, cybercriminals modified a known exploit chain to push Agent Tesla info stealer without triggering detection from common antivirus products.
Cybercriminals set up an infrastructure to deliver multiple malware families via two public exploits for Microsoft Word vulnerabilities CVE-2017-0199 and CVE-2017-11882.

Built to drop a hale of malware

According to analysts from Cisco Talos, the campaign intended to drop at least three payloads: Agent Tesla, Loki, and Gamarue. All of them are capable to steal information and of the three, only Loki lacks remote access features.

The attack starts with an email containing a Word document (DOCX) that includes routines for downloading and opening an RTF file, which delivers the final payload. It is this RTF that passes unnoticed.

"Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for 'RTF/Malform-A.Gen,' while Zoner said it was likely flagged for 'RTFBadVersion'," the researchers write in a report today.

 

[HarborFront]

So only AhnLab-V3 and Zoner Antivirus detected them? What about all the big guys? Sleeping?

Zoner AV is here

Zoner AntiVirus - The Smarter Anti-virus System

But it's not supporting Win 10

Stáhnout

 

[LDogg]

Zoner AV is here

Zoner AntiVirus - The Smarter Anti-virus System

There's always a catch xD

~LDogg

 

[ForgottenSeer 69673]

I see Edge was not on their list of vulnerable browsers

 

[ForgottenSeer 69673]

So only AhnLab-V3 and Zoner Antivirus detected them? What about all the big guys? Sleeping?

Zoner AV is here

Zoner AntiVirus - The Smarter Anti-virus System

But it's not supporting Win 10

Stáhnout

I didn't see any info on Win 10 on their site. Only for Linux based systems. So this malware was designed to run on Linux also?

 

[Nightwalker]

So Talos researchers only tested static signatures and after that they come with the conclusion that this technique kept antivirus in silence, is that right?

I am not trying to defend antivirus vendors, but I dont like fearmongering like this, I know that this technique is somewhat nasty, but the "conclusion" is misleading.

How about behavior blockers? Did the payload actually executed in machines protected by "old" gen antivirus solutions? And if positive, was it caught by advanced modules?

Anyway Microsoft really needs to build versions of Office and Windows 10 without all that vulnerability stuff that home users dont use or need.

 

[Solarquest]

For the .RTF

VirusTotal