First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects.

In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques.

Key Takeaways

Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882.
Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts.
Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.

Microsoft Excel Infection Sequence

Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.

Figure 1: Spam email example

_{Figure 1: Spam email example}

Figure 2: Spam email example

_{Figure 2: Spam email example}

To make these spam emails seem legitimate, threat actors use words like “invoices” and “order” in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.

Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file.

Figure 3: Malicious communication and additional file download

Figure 4 shows the actual obfuscated VBS file.

Figure 4: Obfuscated VBS file

The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.

Figure 5: Malicious JPG file (steganography image)

The JPG file contains a Base64-encoded DLL, as shown in Figure 6.

Figure 6: Base64-encoded DLL inside an image

Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.

Figure 7: Malicious command that loads and runs the DLL file

After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.

Figure 8: Process tree and thread injection in RegAsm.exe

From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.

Figure 9: Thread injected into RegAsm.exe

Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.

Figure 10: Browser data theft

In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.

Figure 11: Agent Tesla steals data from Outlook

As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.

Figure 12: Keyboard and clipboard hooks

In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs.

Figure 13: Window hooking

From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.

Figure 14: Exfiltrate to Telegram

Conclusion

Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape.

In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community.

Zscaler Coverage

Win32.Backdoor.Agenttesla.LZ
XLS.Exploit.CVE-2017-11882
DOC.Exploit.CVE-2017-11882

Indicators of Compromise (IOCs)

Telegram URLs used for exfiltration

api.telegram[.]org/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs
api.telegram[.]org/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk/sendDocument
api.telegram[.]org/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE/sendDocument

Malicious URLs