Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malicious RTF Documents Deliver Information Stealers

A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans to the unsuspecting victims, Cisco Talos security researchers warn.

A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans to the unsuspecting victims, Cisco Talos security researchers warn.

As part of the attacks, the adversaries use a well-known exploit chain for malware delivery, but have modified it so it would not trigger anti-virus detection. The final payload in this campaign was the Agent Tesla Trojan, along with other malware families, including the Loki information stealer.

The malicious documents used in this operation abuse the CVE-2017-11882 vulnerability that Microsoft patched a year ago to deliver the Agent Tesla and Loki stealers. The same infrastructure, the security researchers discovered, is also being used for the distribution of other malware families, such as Gamarue.

The RTF file delivering Agent Tesla had almost no detections on the multi-engine antivirus scanning website VirusTotal at the time of analysis, Cisco reveals.

The infection chain abuses the vulnerable Equation Editor component of Office to download a file and create the scvhost.exe process, which in turn creates another instance of itself. Next, typical command and control (C&C) traffic is observed.

Although macro language is not supported in RTF files, Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects are. Thus, attackers can embed objects into the RTF to leverage the Equation Editor via OLE functions, and can also apply a high level of obfuscation to the document itself to avoid detection.

“We have also seen several other campaigns using the exact same infection chain, but delivering Loki as the final payload,” Cisco explains.

The Agent Tesla Trojan was designed not only with information stealing capabilities, but also with the ability to download additional malware onto the compromised machines. The threat is being sold by a company offering grayware products, which claims that the program was designed for password recovery and child monitoring.

Advertisement. Scroll to continue reading.

However, the malware can steal passwords from more than 25 common applications and also includes a series of rootkit functions, such as keylogging, clipboard stealing, screenshot capturing, and webcam access.

For password theft, the malware targets applications such as Chrome, Firefox, Internet Explorer, Yandex, Opera, Outlook, Thunderbird, IncrediMail, Eudora, FileZilla, WinSCP, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock, and DynDNS, among others.

The malware also includes support for SMTP, FTP and HTTP exfiltration, yet it is only using the HTTP POST method. Data is sent encrypted to the C&C.

“The actor behind this malware used the RTF standard because of its complexity, and used a modified exploit of a Microsoft Office vulnerability to download Agent Tesla and other malware. It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode,” Cisco concludes.

Related: New Agent Tesla Spyware Variant Discovered

Related: Malicious RTF Persistently Asks Users to Enable Macros

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.