A malware campaign uses RTF documents to exploit a Microsoft Office memory corruption hole to distribute the Agent Tesla data stealer RAT.
Attackers are leveraging the hole to “run arbitrary code in the context of the current user by failing to properly handle objects in memory,” said researchers at Cisco Talos Intelligence Group.
Attackers use the hole in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016.
RTF is a Microsoft proprietary document format designed to be multi-platform which, while not having support for macros or scripts, allows attackers to use Object Linking and Embedding (OLE) objects or Macintosh Edition Manager subscriber objects to drop malware payload on the victim’s machine.
This campaign is just one using the CVE-2017-11882 exploitation technique to spread different malware samples using the same infrastructure, with Agent Tesla, Loki, and Gamarue being the most notable.
Attackers who control the Agent Tesla spreading malware campaign use an exploit chain, previously seen in the FormBook malware campaign which exploited the CVE-2017-0199 vulnerability but altered in such a way so no antivirus solution can detect it.
The Agent Tesla malware campaign exploits the CVE-2017-11882 vulnerability using a maliciously crafted RTF document with zero detections on VirusTotal.
Agent Tesla Remote Access Trojan can collect and exfiltrate login information from multiple applications, as well as record video, capture screenshots, and install other malicious tools sent by the command-and-control (C&C) server, Talos researchers said in a post.