Excel-lent Phishing Campaign with Agent Tesla Variant 

In a recent development, FortiGuard Labs has uncovered a phishing campaign that unleashed a new variant of the notorious Agent Tesla malware. Agent Tesla, a well-known Remote Access Trojan (RAT) and data stealer, has been used extensively in the realm of Malware-as-a-Service (MaaS).

In an in-depth analysis of this campaign, Zhang traced its origins from a seemingly harmless phishing email to the nefarious actions of Agent Tesla on the victim’s machine. The attack begins with a phishing email masquerading as a Purchase Order notification, enticing the recipient to confirm an order from an industrial equipment supplier. The email comes with an attached Excel document.

What makes this campaign particularly alarming is its exploitation of CVE-2017-11882/CVE-2018-0802, a Microsoft Office Memory Corruption vulnerability, within the attached Excel document. Despite fixes being released by Microsoft back in 2017 and 2018, threat actors continue to leverage this vulnerability to compromise unpatched devices.

Upon opening the infected Excel document, malicious code hidden within the crafted equation data is secretly executed to exploit the vulnerability. This triggers memory corruption and facilitates arbitrary code execution. This code is used to download additional malicious files and further exploit the system.

Two fileless execution modules were discovered within the downloaded material: one serving as the payload module of Agent Tesla and the other acting as a Loader module. These modules are disguised within the .Net Resources section of the downloaded file. They are responsible for the persistence of the Agent Tesla malware even after system reboots or process termination.

Agent Tesla’s module performs a variety of malicious activities, including the theft of sensitive information. It targets saved credentials from a wide range of software, records keylogging information, and captures screenshots of the victim’s device. The stolen data is then exfiltrated via the SMTP protocol.

The exploitation of an aging security vulnerability in this phishing campaign serves as a stark reminder of the importance of keeping software and systems up to date. As always, vigilance and robust cybersecurity measures remain essential to combat such threats effectively.

In Summary: A recent phishing campaign featuring a new variant of the notorious Agent Tesla malware, known for its Remote Access Trojan (RAT) and data-stealing capabilities. The campaign’s focal point is an Excel-based phishing attack exploiting an aging Microsoft Office vulnerability, highlighting the persistent threat posed by cybercriminals even years after fixes have been released.

Why It Matters: MSPs and their clients should take note of the evolving tactics of cybercriminals. The use of a well-known vulnerability in an Excel document emphasizes the importance of staying vigilant and keeping software up to date. The combination of launching in the background and the fileless execution of these attacks makes it hard to detect, as well as independently terminate, as it will not show signs of running on the machine to the average user. MSPs must ensure their clients are equipped with robust cybersecurity measures to defend against such threats, including regular software patching, employee training to identify phishing attempts, and the implementation of advanced threat detection and prevention tools to safeguard against evolving threats like Agent Tesla and its variants.

To stay up to date on all APG intel, follow them on Twitter and Reddit.