Security Experts:

Connect with us

Hi, what are you looking for?



Malicious RTF Documents Deliver Information Stealers

A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans to the unsuspecting victims, Cisco Talos security researchers warn.

A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans to the unsuspecting victims, Cisco Talos security researchers warn.

As part of the attacks, the adversaries use a well-known exploit chain for malware delivery, but have modified it so it would not trigger anti-virus detection. The final payload in this campaign was the Agent Tesla Trojan, along with other malware families, including the Loki information stealer.

The malicious documents used in this operation abuse the CVE-2017-11882 vulnerability that Microsoft patched a year ago to deliver the Agent Tesla and Loki stealers. The same infrastructure, the security researchers discovered, is also being used for the distribution of other malware families, such as Gamarue.

The RTF file delivering Agent Tesla had almost no detections on the multi-engine antivirus scanning website VirusTotal at the time of analysis, Cisco reveals.

The infection chain abuses the vulnerable Equation Editor component of Office to download a file and create the scvhost.exe process, which in turn creates another instance of itself. Next, typical command and control (C&C) traffic is observed.

Although macro language is not supported in RTF files, Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects are. Thus, attackers can embed objects into the RTF to leverage the Equation Editor via OLE functions, and can also apply a high level of obfuscation to the document itself to avoid detection.

“We have also seen several other campaigns using the exact same infection chain, but delivering Loki as the final payload,” Cisco explains.

The Agent Tesla Trojan was designed not only with information stealing capabilities, but also with the ability to download additional malware onto the compromised machines. The threat is being sold by a company offering grayware products, which claims that the program was designed for password recovery and child monitoring.

However, the malware can steal passwords from more than 25 common applications and also includes a series of rootkit functions, such as keylogging, clipboard stealing, screenshot capturing, and webcam access.

For password theft, the malware targets applications such as Chrome, Firefox, Internet Explorer, Yandex, Opera, Outlook, Thunderbird, IncrediMail, Eudora, FileZilla, WinSCP, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock, and DynDNS, among others.

The malware also includes support for SMTP, FTP and HTTP exfiltration, yet it is only using the HTTP POST method. Data is sent encrypted to the C&C.

“The actor behind this malware used the RTF standard because of its complexity, and used a modified exploit of a Microsoft Office vulnerability to download Agent Tesla and other malware. It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode,” Cisco concludes.

Related: New Agent Tesla Spyware Variant Discovered

Related: Malicious RTF Persistently Asks Users to Enable Macros

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...