An ancient Microsoft Excel vulnerability is being hijacked to spread malware

News
By Sead Fadilpašić
published

A six-year-old flaw is gaining traction among hackers

Petya nagscreen
(Image credit: Wikipedia)

Hackers have been observed targeting users running outdated Office programs, with the goal of delivering an infostealing malware called Agent Tesla.

This is according to cybersecurity researchers Zscaler ThreatLabs, who recently detailed a phishing campaign that distributes an Excel document. If the victim is using an older version of Excel, the document can abuse a memory corruption vulnerability in the Equation Editor, tracked as CVE-2017-11882. 

That allows it to execute code with user privileges but without further user interaction or consent. 

"Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction," said security researcher Kaivalya Khursale.

The infection is a multi-step process, with the first step being an obfuscated Visual Basic Script. It downloads a malicious JPG file carrying a Base64-encoded DLL file. That file is later injected into the Windows Assembly Registration Tool (RegAsm.exe), which launches the final payload - Agent Tesla.

Advanced keylogger

In its writeup, TheHackerNews describes Agent Tesla as an "advanced keylogger and remote access trojan (RAT)" capable of harvesting sensitive information. After gathering the required intel, Agent Tesla can communicate with its remote C2 server and extract the data quietly. 

"Threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape," Khursale said.

Both the infostealing malware and the Excel vulnerability seem to be extremely popular these days. A report from Cofense, released in late October, states that the most prevalent malware associated with phishing in Q3 was the Agent Tesla keylogger. Furthermore, the same source claims the most common delivery method to infect your computer with these forms of malware is the CVE-2017-11882 exploit.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.