A new attack technique which includes tampering with a well-known exploit chain to blind antivirus solutions has been uncovered which is spreading information-stealing malware.
The Trojan is able to monitor and collects the victim's keyboard inputs, system clipboard, take screenshots, and exfiltrate credentials belonging to of a variety of software installed on a victim's machine. This includes the Google Chrome and Mozilla Firefox browsers, as well as the Microsoft Outlook email client.
Alongside Agent Tesla, the campaign is also spreading Loki, another information and credential stealer.
While spyware and surveillance malware is often spread covertly through phishing attacks, bundled as Potentially Unwanted Programs (PUP) with other software, and downloaded through malicious links, the latest wave of attacks has revealed something unusual.
The threat actors behind the campaign have tampered with a well-known exploit chain and "modified it in such a way so that antivirus solutions don't detect it," according to Talos.
The hackers have created an infrastructure leveraging CVE-2017-11882 and CVE-2017-0199 -- a remote code execution flaw in Microsoft Office and a memory handling bug which permits arbitrary code execution -- to distribute Agent Tesla and Loki.
However, the infrastructure is also being used to distribute other forms of malware including the Gamarue Trojan, which has been connected to botnets in the past.
The attack begins with the download of a malicious Microsoft .DOCX file which contains instructions to download an RTF file from inside the document. It is this tweak in the exploit chain which goes unnoticed by antivirus solutions.
"At the time the file was analyzed, it had almost no detections on the multi-engine antivirus scanning website VirusTotal," the researchers say. "Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file."
The RTF file format, developed by Microsoft, is intended to act as a cross-platform document interchange.
The most simple versions of files in this format contain only text and control word strings, and while they do not natively support macros, they do support Microsoft Object Linking and Embedding (OLE) objects and Mac Edition Manager subscriber objects.
This permits users to link or embed objects into the RTF as part of the cross-platform support element of the file format -- but in order to do so, heavy levels of obfuscation are added. In addition, anything that the RTF file does not recognize is generally ignored.
It is these features which are being abused by the attackers in question.
The crafted RTF is used to hide and deploy CVE-2017-11882, disguised as a font indicator within the document. The file is force-opened and so the exploit can immediately trigger without the need for user interaction.
Once triggered, vulnerable machines may be compromised for the purposes of information theft and surveillance.
"It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode," Talos says. "Either way, this shows that the actor or their tools have [the] ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability."
"This is a technique that could very well be used to deploy other malware in a stealthy way in the future," the researchers added.