Information-Stealing Malware Campaign Evades Anti-Virus Detection

Researchers at Cisco Talos recently uncovered a new campaign that leverages a known vulnerability in Microsoft Office, CVE-2017-11882, to deliver information-stealing trojans including Agent Tesla, Loki, and Gamarue. Agent Tesla has the ability to steal login credentials, capture screenshots, record webcam footage, and install additional malware onto infected machines. This campaign distributes emails with an attached Microsoft Word docx file that, when opened, downloads and opens a Rich Text Format (RTF) document containing malicious code. As RTF parsers typically ignore unrecognized code, threat actors are easily able to obfuscate the content of RTF files to mask malicious code. According to Cisco Talos, at the time of analysis, only two out of 58 anti-virus programs marked the file as suspicious. Microsoft issued a patch for CVE-2017-11882 in November 2017. The NJCCIC recommends users and administrators review the Cisco Talos post, use the indicators of compromise (IOCs) provided to help defend against this threat, and ensure all Microsoft Office products are up-to-date with the latest patches.