In a new malware campaign, cybercriminals modified a known exploit chain to push Agent Tesla info stealer without triggering detection from common antivirus products.
Cybercriminals set up an infrastructure to deliver multiple malware families via two public exploits for Microsoft Word vulnerabilities
CVE-2017-0199 and
CVE-2017-11882.
Built to drop a hale of malware
According to analysts from Cisco Talos, the campaign intended to drop at least three payloads: Agent Tesla, Loki, and Gamarue. All of them are capable to steal information and of the three, only Loki lacks remote access features.
The attack starts with an email containing a Word document (DOCX) that includes routines for downloading and opening an RTF file, which delivers the final payload. It is this RTF that passes unnoticed.
"Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for 'RTF/Malform-A.Gen,' while Zoner said it was likely flagged for 'RTFBadVersion'," the researchers write in a report today.