Headline
New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
The new Agent Tesla variant exploits CVE-2017-11882/CVE-2018-0802 vulnerability to execute the malware.
Key Findings
A new variant of the Agent Tesla malware family is being used in a phishing campaign.
The malware can steal credentials, keylogging data, and active screenshots from the victim’s device.
The malware is spread through a malicious MS Excel attachment in phishing emails.
The malware exploits an old security vulnerability (CVE-2017-11882/CVE-2018-0802) to infect Windows devices.
The malware ensures persistence even when the device is restarted or the malware process is killed.
New Agent Tesla Variant Detected in Malicious Phishing Campaign
FortiGuard Labs threat researchers have detected a new variant of the notorious Agent Tesla malware family used in a phishing campaign. Report author Xiaopeng Zhang revealed that the malware can steal “credentials, keylogging data, and active screenshots” from the victim’s device. Stolen data is transferred to the malware operator through email or SMTP protocol. The malware mainly infects Windows devices.
For your information, Agent Tesla malware is also offered as a Malware-as-a-Service tool. The malware variants use a data stealer and .NET-based RAT (remote access trojan) for initial access.
How Phishers Trap Users?
This is a phishing campaign, so initial access is gained through a phishing email designed to trick users into downloading the malware. The email is a Purchase Order notification that asks the recipient to confirm their order from an industrial equipment supplier.
The email contains a malicious MS Excel attachment titled Order 45232429.xls. This document is in OLE format and contains crafted equation data that exploits an old security RCE vulnerability tracked as CVE-2017-11882/CVE-2018-0802 instead of using a VBS macro.
This vulnerability causes memory corruption in the EQNEDT32.EXE process and allows arbitrary code execution through ProcessHollowing method, in which a hacker replaces the executable file’s code with malicious code.
A shellcode download/execute the Agent Tesla file (dasHost.exe) from this link “hxxp://2395.128.195/3355/chromium.exe” onto the targeted device. It is a .NET program protected by IntelliLock and .NET Reactor. Relevant modules are encrypted/encoded in the Resource section to prevent its core module from detection and analysis.
It is worth noting that Microsoft released fixes for this vulnerability in November 2017 and January 2018. However, it is still being exploited by threat actors indicating the presence of unpatched devices. Per FortiGuard research, they observe around 1300 vulnerable devices daily and mitigate 3,000 attacks at the IPS level per day.
The phishing email and the ShellCode identified by the researchers (Screenshots: FortiGuard Labs)
Analysis of Agent Tesla Activities
According to FortiGuard Labs’ report, published on 5 Sep 2023, Agent Tesla variant steals stored credentials from web browsers, email clients, FTP clients, etc. There is a long list of targeted software and email clients available here.
The malware sets a keyboard hook through the API SetWindowsHookEx() to monitor low-level keyboard inputs and calls the callback hook procedure “this.EiqpViCm9()” whenever the victim types something on the device. The malware steals the program title, time, and input contents at regular intervals. A Timer calls a method to check the log.tmp file every 20 seconds and sends the info to the attacker via STMP. Moreover, the malware uses another Timer with a 20-minute interval to check for device activities and determine when to capture screenshots.
How does Agent Tesla maintain persistence?
Agent Tesla malware ensures persistence even when the device is restarted, or the malware process is killed, using two methods. It either executes a command for creating a task in the TaskScheuler system in the payload module or adds an auto-run item in the system registry. These methods allow duplication of dasHost.exe to launch automatically when the system restarts.
Protection against such campaigns
Be suspicious of any email that asks for your personal or financial information: Phishing emails often try to trick you into giving up your passwords, credit card numbers, or other sensitive information. Never click on links or open attachments in emails from senders you don’t know or trust.
Keep your software up to date: Software updates often include security patches that can help protect you from malware. Make sure to install security updates as soon as they are available.
Use a strong antivirus and anti-malware program: Antivirus and anti-malware programs can help detect and remove malware from your computer. Keep your antivirus and anti-malware programs up to date and scan your computer regularly.
Be careful what you click on: Phishing emails often contain links that lead to malicious websites. If you click on a link in an email, make sure to check the URL carefully before visiting the website.
Use a spam filter: A spam filter can help reduce the number of phishing emails that you receive.
Educate yourself about phishing: The more you know about phishing, the better you will be able to spot it. Read up on phishing scams and how to protect yourself.
- Hackers leak logins of vulnerable Fortinet SSL VPNs
- Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
- Smoke Loader Drops Location Tracker Whiffy Recon Malware
- Luna Grabber Malware Hits Roblox Devs Using npm Packages
- Chae$4 Malware Steals Login, Financial Data from Businesses
- Adobe ColdFusion Vulnerabilities Exploited to Deploy Malware
Related news
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT. The domains – www.warzone[.]ws and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ said. Alongside the takedown, the
The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at
A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers
By Waqas KEY FINDINGS Organizations should take steps to protect themselves from this campaign by keeping software up to date,… This is a post from HackRead.com Read the original post: Rust Implant Used in New Malware Campaign Against Azerbaijan
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
By Deeba Ahmed An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.
The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]