Hackers employ a new technique to hide behind anti-virus programs and spread Agent Tesla info stealer

• The newer version of Agent Tesla info stealer could allow the attacker to execute remote code on the victim's computer.
  
• The new exploit chain could download other information stealer malware such as Loki and Gamarue.

A new malware campaign uses a modified exploit chain to exploit vulnerabilities in Microsoft Office, in order to download the info stealer malware named Agent Tesla. The exploit chain could also download other information stealers such as Loki and Gamarue, and could remain hidden from common antivirus solutions.

The two publicly exploited Microsoft vulnerabilities include CVE-2017-0199 and CVE-2017-11882. These vulnerabilities could allow remote code execution in a compromised system which in turn downloads an RTF document from within the malicious DOCX file.

Security researchers namely Edmund Brumaghin, Holger Unterbrinkfrom, and Emmanuel Tacheau from Cisco Talos, discover the new exploit chain used in various malware campaigns.

"Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for 'RTF/Malform-A.Gen,' while Zoner said it was likely flagged for 'RTFBadVersion'," researchers said in a blog post.

New changes made to the exploit chain

The new modifications made to the malware exploit chain allowed the documents containing the malicious attachments to sneak undetected behind common antivirus solutions. This stealthy feature completely relies on the capabilities of the RTF file format, which supports embedding objects via OLE (Object Linking and Embedding) and also uses a large number of control words to define the content it holds within.

The attacker adds the malicious code to the RTF’s file structure allowing the document to remain undetected. Further analysis revealed that the attacker changed the OLE object header’s value to make sure of the stealth mode.

After the header addition, the hacker also added data about what looked like a font tag, which is actually the exploit for the CVE-2017-11882 memory corruption vulnerability in Microsoft Office.

Moreover, all changes made to the malware are at a lower level, pretending to be the older version, and it uses an exploit code that has been seen in other campaigns.

Agent Tesla info stealer

Hackers mainly use Agent Tesla information stealer malware in the campaign. The malware could steal login information from the applications such as Chrome, Firefox, Internet Explorer, Yandex, Opera, Outlook, Thunderbird, IncrediMail, Eudora, FileZilla, WinSCP, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock, and DynDNS.

This malware not only steals user credentials but can also be used to capture screenshots, record webcam broadcasts, and allow the attacker to install additional malware on the infected system.

While Agent Tesla can be used to execute remote codes, Loki is strictly an info-stealer malware. Gamarue has a history of providing botnet herders with new bots. It can quickly spread to vulnerable systems giving the operator access to them. It can also be used by hackers to steal sensitive information.