MS Excel Vulnerability Exploited To Distribute Agent Tesla
Threat actors with malicious intent have now been exploiting an old MS Excel vulnerability as part of their phishing campaign. The aim of such exploits is to deliver an infostealer malware dubbed Agent Tesla.
As per recent reports, a memory corruption vulnerability is being used as an active part of exploits in an attempt to gain code execution privileges. In this article, we’ll dive into all the details of the attack, helping you safeguard your systems.
MS Excel Vulnerability: Exploitation Details
Recent reports have brought to light the fact that infectious chains make use of fake Excel documents. The documents are attached to invoice-themed messages and potential targets. Once a potential target opens such malicious documents, CVE-2017-11882 is activated.
It’s worth mentioning here that this is a critical vulnerability with a severity score of 7.8. The vulnerability pertaining to Microsoft Office’s equation editor can provide remote code execution capabilities to threat actors. In addition, it allows threat actors to have the privileges of the user who opened the malicious file.
In light of this, it can be stated that if they had administrative privileges, they could be acquired and used by threat actors if exploited successfully. Such privileges would allow them to expand their attack surface and maximize damage by installing malicious programs, modifying or stealing data, or creating new accounts.
Details of such reports were brought to light by Zscaler ThreatLabz. Sharing his thoughts on the matter, security researcher Kaivalya Khursale stated that “Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction.”
Microsoft Office Vulnerabilities: The Payload
As soon as the file gets opened, exploitation protocols for the vulnerability are activated. Once the MS Excel vulnerability is exploited, the file initiates communication protocols. The aim of these protocols is to download a series of files used to deliver the final payload. It’s worth mentioning here that the first downloaded payload is an obfuscated Visual Basic Script.
As far as malicious exploits are concerned, the Visual Basic Script is then used to download a JPG file embedded with a Base64-encoded DLL file. Those who want to safeguard their systems against data security risks and cyber attacks on spreadsheets must know that the DLL file is then injected into RegAsm.exe.
The tool essentially reads the metadata within and adds the necessary entries to the registry. This ensures that .NET classification frameworks can be created transparently.
The Origins Of Agent Tesla
Agent Tesla is a .NET-based advanced keylogger and remote access trojan (RAT). The information-stealing malware can monitor keystrokes, take screenshots, and steal passwords from different applications. Once the data has been acquired, Agent Tesla sends it to the threat actor using common protocols.
The malware first appeared in 2014 and was advertised on a Turkish website. During its origins, Agent Tesla was positioned as a remote access tool that customers could use to monitor their personal computers. After going through several changes over the years, mainly centered around passing antivirus scans, it now advertises to steal credentials from over 55 applications.
The use of Agent Tesla by threat actors became more common in late 2020 and early 2021 during Covid-19. It’s worth mentioning that a similar trend pertaining to malicious activity that’s prevalent now was seen during that time. Threat actors had used Office documents with macros and malicious .rtf files to exploit CVE-2017-11882 and download and execute Agent Tesla.
Cybersecurity Best Practices for Excel
Recent news reports have explicitly mentioned any cybersecurity best practices for Excel that can be used to safeguard against the MS Excel vulnerability exploited for the execution of Agent Tesla.
Sharing his on the phishing malware, Khursale has stated that “Threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape.”
This, alongside the MS Excel vulnerability being used remotely, emphasizes the need for robust security strategies to be developed and implemented by those who use MS Office. In addition, users should also refrain from downloading and accessing files from unknown sources.
Furthermore, familiarizing themselves with phishing techniques used by threat actors can help ensure protection against cyber attacks on spreadsheets, data security risks, and other online threats.
Threat actors have recently started to use an MS Excel vulnerability to spread Agent Tesla. The information-stealing malware, once downloaded, can be severely damaging to victims. In addition, threat actors are also adapting infection methods, making it necessary for individual users and organizations to use proactive cybersecurity measures to counter such threats and improve their security posture.