Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?



Malicious RTF Documents Deliver Information Stealers

A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans to the unsuspecting victims, Cisco Talos security researchers warn.

A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans to the unsuspecting victims, Cisco Talos security researchers warn.

As part of the attacks, the adversaries use a well-known exploit chain for malware delivery, but have modified it so it would not trigger anti-virus detection. The final payload in this campaign was the Agent Tesla Trojan, along with other malware families, including the Loki information stealer.

The malicious documents used in this operation abuse the CVE-2017-11882 vulnerability that Microsoft patched a year ago to deliver the Agent Tesla and Loki stealers. The same infrastructure, the security researchers discovered, is also being used for the distribution of other malware families, such as Gamarue.

The RTF file delivering Agent Tesla had almost no detections on the multi-engine antivirus scanning website VirusTotal at the time of analysis, Cisco reveals.

The infection chain abuses the vulnerable Equation Editor component of Office to download a file and create the scvhost.exe process, which in turn creates another instance of itself. Next, typical command and control (C&C) traffic is observed.

Although macro language is not supported in RTF files, Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects are. Thus, attackers can embed objects into the RTF to leverage the Equation Editor via OLE functions, and can also apply a high level of obfuscation to the document itself to avoid detection.

“We have also seen several other campaigns using the exact same infection chain, but delivering Loki as the final payload,” Cisco explains.

The Agent Tesla Trojan was designed not only with information stealing capabilities, but also with the ability to download additional malware onto the compromised machines. The threat is being sold by a company offering grayware products, which claims that the program was designed for password recovery and child monitoring.

Advertisement. Scroll to continue reading.

However, the malware can steal passwords from more than 25 common applications and also includes a series of rootkit functions, such as keylogging, clipboard stealing, screenshot capturing, and webcam access.

For password theft, the malware targets applications such as Chrome, Firefox, Internet Explorer, Yandex, Opera, Outlook, Thunderbird, IncrediMail, Eudora, FileZilla, WinSCP, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock, and DynDNS, among others.

The malware also includes support for SMTP, FTP and HTTP exfiltration, yet it is only using the HTTP POST method. Data is sent encrypted to the C&C.

“The actor behind this malware used the RTF standard because of its complexity, and used a modified exploit of a Microsoft Office vulnerability to download Agent Tesla and other malware. It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode,” Cisco concludes.

Related: New Agent Tesla Spyware Variant Discovered

Related: Malicious RTF Persistently Asks Users to Enable Macros

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights