Zscalerのブログ
Zscalerの最新ブログ情報を受信
購読するThreat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla
Introduction
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects.
In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques.
Key Takeaways
- Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882.
- Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts.
- Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.
Microsoft Excel Infection Sequence
Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.
Figure 1: Spam email example
Figure 2: Spam email example
To make these spam emails seem legitimate, threat actors use words like “invoices” and “order” in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.
Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file.
Figure 3: Malicious communication and additional file download
Figure 4 shows the actual obfuscated VBS file.
Figure 4: Obfuscated VBS file
The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.
Figure 5: Malicious JPG file (steganography image)
The JPG file contains a Base64-encoded DLL, as shown in Figure 6.
Figure 6: Base64-encoded DLL inside an image
Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.
Figure 7: Malicious command that loads and runs the DLL file
After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.
Figure 8: Process tree and thread injection in RegAsm.exe
From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.
Figure 9: Thread injected into RegAsm.exe
Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.
Figure 10: Browser data theft
In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.
Figure 11: Agent Tesla steals data from Outlook
As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.
Figure 12: Keyboard and clipboard hooks
In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs.
Figure 13: Window hooking
From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.
Figure 14: Exfiltrate to Telegram
Conclusion
Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community.
Zscaler Coverage
- Win32.Backdoor.Agenttesla.LZ
- XLS.Exploit.CVE-2017-11882
- DOC.Exploit.CVE-2017-11882
Indicators of Compromise (IOCs)
Telegram URLs used for exfiltration
- api.telegram[.]org/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs
- api.telegram[.]org/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk/sendDocument
- api.telegram[.]org/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE/sendDocument
Malicious URLs
- 79.110.48[.]52/nicko.vbs
- 79.110.48[.]52/nix.txt
- 193.42.33.51/knog.txt
Malicious Excel files
- 201CD0A2FC6A87D25D6AED1E975FAE71 (CVE-2017-11882)
- 38f6b4d5804de785b925eb46ddd86d6f (CVE-2017-11882)
- C1521547DEA051BD7A007516511FB2CA (CVE-2017-11882)
- dddabc8019a7184055301927239a9438 (CVE-2017-11882)
Malicious VBS files
- F302ADDF3B4068888788D8EDCE8F52A0
- 1402E4408F123DA1E9BC3BDE078764FC
- A1C2B285A7FF9DD99C70E4D750EFEA51
Malicious JPG files
- 8496654930be3db6cea0ba62ffe5add9
- d6f8c9a88cbdd876695f4bef56972f2e
- 8d17b59e8bb573b12a9d0e42746f8aef
Malicious DLL files
- 8955B482E59894864BACE732302A9927
- F5F51251DC672E1934746E0057011B1A
- 5630282A95AFD2A5CEEECC5ACF7FF053
Malicious executables
- 547b88c4aa225377d7d65e912d81fe28
- 87aa9fc1bf49d48234160a15515a8145
- 0ada110f82ce64fcfab0eb0e5d8d948e
- 32e9af7d07a5edcc9bf9b5c8121acc55
- b551da554933c2c064f96aaa6aa9ff55
- 7ea06a0e6c1e5707a23364ae6984b4f3
- f3f27883dc91a7c85a03342bf6fed475
- 7c9ad2b73748f8c745d5d49b9b4876c5
- a8c8010963f35fc3253d6409c169a9f2
- d6a1feb6cfa307c5031ea2dd2118d786
- 069bb6a37f9312ba4fea6c70b7134d39
- 6bdb7a11d0eaa407e7a7f34d794fb567
- f11d72bc4192b2ed698cc2b0200773bf
- a55302ad4bf2f050513528a2ca64ff01
- 01b02fc9db22a60e8df6530a2e36a73b
- 43ec3cc0836bd759260e8cf120b79a7b
- 5477e3714c953df2bb3addf3bebbda9a
- be1858db74162408c29c8b8484b3cf88
- 38bb6b06907c6e3445aa23c8d229e542
- 05bc545b9b0de1ccb4254b59961ea07b
- 25a697d0e6c5fa06eea8ba0d3ae539da
- 8a081a4f6c497c60c6e72dfabfe30326
- ad0f5f4994a2998f0e1ed3323884837c
- 092ff92d9bfa9cac81a8b892d495f42e
- 09f197fc8d69ec14875723f1e6e623bf
- 0eba69a4ad399db14a2743b4d68f13e8
- 19eab6a97cea19473bda3010066c5990
- cb2b5646d68279aea516703df3c4c1e9
- 3247ad04996dd2966800153e7ea14571
- 92d1ece422670dbf9a3e1aef45612b5c
- f25da7cd5fb33e7a0967dbcdf008bd9a
- a7f2d131a2f3f61978ec17395f7b34b1
- 39088a9e4ad3e7a8ba4686641569dbcd
- 210e9a89b723b3246a7d590c9a428c83
- efc3a41ecae822eba861cb88c179c80e
- c01e90db99bcc939f829a181aef2c348
- b18ba839dfd653b07b984330dd85b57a
- a8e8d4667f96ea847d18eb7830fb1dc6
- c38b8d525f48cbdf92381274059d8f0b
- 6e0dafacdeee6f2d9463d0052db5cce8
- b6f892c73fa0f491072592d7baf0c916
- bf9d9c9a95fdb861c583dc9b66bcf5ab
- 0043f65755a700b94a57118a672df82c
- adbf1e2f49d842aac524d7ac351ca5b4
- d55bdb3593664d806794d00025390081
- 935e75cbd0f207bfeb6d3b5d90e35685
- db4bfb57c7acd8d568a06a9c3739e146
- 08e1955de35005b335be2e100d2d4a3c
- e57882623add29cbfa8c93d011b52c44
- e6c4636c331af09568a68dcf3614cfa4
- be71e90f09a38adfe22d34e3dd044fad
- e9d4e5b8b80dcb4fcf5af8413066434e
- 413af1ff38e6a4e205c6f487d042b457
- f1a1542bbccea9a4e6746040d85eae1b
- 05d60c7be299fc0220ffcaf3b1482652
- 5373b6dce20bbb0218034aa9bf0c20df
- 1e22cd428f5baf23877a8189469ed92a
- b76d8d59b53f58dd876951044e6d88b9
- a29585da474f79a723894c1a56f65b85
- 2639c8b09f744e95ba612c89ef26e02c
- bba5761789159b5a1a23566506358c15
- 3d8414800762efb9276a999fc477211b
- f0af137175487b4d1249921ce506efe9
- 2123f750f5b854b439349576118d9b9d
- 7b6ec969d4110722b427de45ca1c0d42
- 6dfc461ecf4f2fe4c5f44cdeb6792226
- 0708c52198a49bc7ab16bce19472598a
- 00b28f548f14de4f53abd6651bf78b98
- ea1472bad426efded678a15c9a14bf34
- dadb38b97d45d7438fbd43911a71d844
- d7ebf4ab7bb0ab685e3902349d637e9b
- aff1e141f15d808d5d4f549ea99c1e4d
- bbc7c66b301d3087cfdaa89528832895
- e6926fc50f40c5c5feb676b0adcb7655
- 3c3580dfbc1f06636fe5696879cbdd85
- b7dba4e30a73f58740d316c46645b759
- 7b1bc15873c39866b429d44da8640285
Agent Tesla pilfers data from the following browsers:
- Edge Chromium
- Postbox
- Iridium Browser
- Elements Browser
- Citrio, CentBrowser
- Epic Privacy
- SeaMonkey
- Vivaldi
- Yandex Browser
- Amigo
- 7Star
- Kometa
- IceCat
- Cool Novo
- Flock
- Coowon
- 360 Browser
- Brave
- WaterFox
- Chromium
- Liebao Browser
- CyberFox
- PaleMoon
- Thunderbird
- QIP Surf
- Sleipnir 6
- Sputnik
- IceDragon
- Coccoc
- K-Meleon
- Comodo Dragon
- Chedot
- Opera Browser
- BlackHawk
- Firefox
- Torch Browser
- Uran
- Orbitum
Agent Tesla tries to steal credentials from the following mail and FTP clients:
- Paltalk
- WinSCP
- Safari for Windows
- FTP Navigator
- Discord
- Falkon Browser
- Mailbird
- QQ Browser
- ClawsMail
- Pidgin
- Eudora
- FTPGetter
- Becky!
- eM Client
- IncrediMail
- JDownloader 2.0
- Psi/Psi+
- FoxMail
- FtpCommander
- Flock Browser
- FileZilla
- Outlook
- WS_FTP
- OpenVPN
- Private Internet Access
- IE/Edge
- SmartFTP
- DynDns
- Opera Mail
- Trillian
- CoreFTP
- MysqlWorkbench
- PocoMail
- Flash
- FXP
- UC Browser
- NordVPN
- Internet Downloader Manager
- Windows Mail App