Experts have identified that cybercriminals have perfected the exploitation of a long-fixed Microsoft Office flaw, tracked as CVE-2017-11882, to proliferate the notorious spyware known as ‘Agent Tesla‘. This security gap, despite being addressed through patches issued in 2017, remains a potent tool for attackers aiming to infiltrate systems using carefully crafted phishing emails.
Infectious Documents in Disguise
The modus operandi involves deceiving email recipients into opening seemingly benign documents, such as those labeled with business-related terms like “orders” and “invoices”. These misleading labels cloak weaponized Excel documents which, upon being downloaded and opened by unsuspecting users, initiate a clandestine communication with a hostile server. This serves as a conduit for retrieving additional obfuscated malware files without any further input from the user.
The EQNEDT32.EXE component within Office—an equation editor tool—is the vulnerable point, as it mishandles objects in memory, allowing for arbitrary code execution. Despite a patch being available for years, some users have either neglected to apply the updates or are utilizing unsupported versions of Office, which has kept the exploitation viable. Microsoft has previously warned about the flaw:
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
— Microsoft Threat Intelligence (@MsftSecIntel) June 7, 2019
Advanced Evasion and Exfiltration Techniques
In the subsequent stages of the attack, the VBS script retrieved executes a highly obfuscated code that sidesteps analysis and downloads a JPG containing a concealed, Base64-encoded DLL file. Hereon, a PowerShell script extracts and executes the malicious code from the image, ultimately fetching the Agent Tesla payload. Once embedded, this spyware is capable of logging keystrokes, capturing screenshots, and harvesting credentials, granting the attackers unfettered access to sensitive corporate information.
To confront such threats, companies must actively ensure that all their software is up-to-date with the latest security patches and educate employees on the dangers of unsolicited email attachments. Security firms like emphasize the ongoing evolution of malware delivery methods and stress the importance of staying informed on emerging cybersecurity threats to better defend digital infrastructure from such incursions.
