Agent Tesla & Equation Editor Vulnerabilities

Category: Malware Campaign | Industry: Global | Source: Fortinet

A new phishing campaign distributing information-stealing malware, Agent Tesla is spotted using the equation editor vulnerabilities CVE-2017-11882/CVE-2018-0802. In a report shared by Fortinet researcher, Xiaopeng Zhang the observed phishing email is disguised as a purchase order from an industrial supply company containing a weaponized Excel file. When the Excel file is executed, shellcode is discretely executed abusing the equation editor vulnerabilities. The shellcode proceeds to download malware onto the victim's workstation, saving the .Net executable file to the “%TEMP%” folder.

When unpacked, the executable file will extract the Agent Tesla payload and a payload module. The malware establishes persistence with a scheduled task or in the AutoRun registry key to survive reboots and initiates process hallowing. Once the preliminary activity is complete, Agent Tesla's core module can proceed to capture user data including any stored credentials, keylogging data, and screenshots. The data collected can be exfiltrated using the HTTP POST method or over SMTP within an email.