Security News New Technique Recycles Exploit Chain to Keep Antivirus Silent

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/new-technique-recycles-exploit-chain-to-keep-antivirus-silent/
In a new malware campaign, cybercriminals modified a known exploit chain to push Agent Tesla info stealer without triggering detection from common antivirus products.
Cybercriminals set up an infrastructure to deliver multiple malware families via two public exploits for Microsoft Word vulnerabilities CVE-2017-0199 and CVE-2017-11882.

Built to drop a hale of malware

According to analysts from Cisco Talos, the campaign intended to drop at least three payloads: Agent Tesla, Loki, and Gamarue. All of them are capable to steal information and of the three, only Loki lacks remote access features.

The attack starts with an email containing a Word document (DOCX) that includes routines for downloading and opening an RTF file, which delivers the final payload. It is this RTF that passes unnoticed.

"Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for 'RTF/Malform-A.Gen,' while Zoner said it was likely flagged for 'RTFBadVersion'," the researchers write in a report today.
Click to expand...
 
  • Like
Reactions: Solarquest, Daviworld, upnorth and 7 others
F

ForgottenSeer 69673

I see Edge was not on their list of vulnerable browsers(y)
 
Nightwalker

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
So Talos researchers only tested static signatures and after that they come with the conclusion that this technique kept antivirus in silence, is that right?

I am not trying to defend antivirus vendors, but I dont like fearmongering like this, I know that this technique is somewhat nasty, but the "conclusion" is misleading.

How about behavior blockers? Did the payload actually executed in machines protected by "old" gen antivirus solutions? And if positive, was it caught by advanced modules?

Anyway Microsoft really needs to build versions of Office and Windows 10 without all that vulnerability stuff that home users dont use or need.
 
  • Like
Reactions: Gandalf_The_Grey, shmu26 and oldschool
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware
Replies
0
Views
726
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
New malware variant has “radio silence” mode to evade detection
Replies
0
Views
493
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus
Replies
1
Views
716
News Archive
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top