New Technique Recycles Exploit Chain to Keep Antivirus Silent

In a new malware campaign, cybercriminals modified a known exploit chain to push Agent Tesla info stealer without triggering detection from common antivirus products.

Cybercriminals set up an infrastructure to deliver multiple malware families via two public exploits for Microsoft Word vulnerabilities CVE-2017-0199 and CVE-2017-11882.

Built to drop a hale of malware

According to analysts from Cisco Talos, the campaign intended to drop at least three payloads: Agent Tesla, Loki, and Gamarue. All of them are capable to steal information and of the three, only Loki lacks remote access features.

The attack starts with an email containing a Word document (DOCX) that includes routines for downloading and opening an RTF file, which delivers the final payload. It is this RTF that passes unnoticed.

“Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for ‘RTF/Malform-A.Gen,’ while Zoner said it was likely flagged for ‘RTFBadVersion’,” the researchers write in a report today.

Changes for antivirus evasion

The researchers say that the modifications made to the exploit chain allowed the documents containing the routines for downloading the malware to slip undetected by regular antivirus solutions.

The stealth of the payload-dropping drill relies on the particularities of the RTF file format, which supports embedding objects via OLE (Object Linking and Embedding) and uses a large number of control words to define the content it holds.

Add to this is the fact that common RTF parsers typically ignore what they do not know and the result is the perfect combination for hiding the exploit code. Under this scenario, users do not have to change settings for Microsoft Word or click on anything to trigger the exploit.

RTF with control word for OLE objects

Obfuscation inside the RTF file’s structure is not the only thing that helped the document go undetected. Deeper analysis revealed that the attacker changed the OLE Object header’s values.

Following the header, they added data about what looked like a font tag, but it turned out to be the exploit for the CVE-2017-11882 memory corruption vulnerability in Microsoft Office.

Modified header info

The researchers say that the technique is dangerous, regardless if the modifications were done manually or using a tool. The changes are at a lower level and makes everything look different, yet it uses exploit code that has been that has been seen in other campaigns.

Malware capabilities

Talos labels Agent Tesla as a “sophisticated information-stealing trojan,” marketed as a legal keylogging utility. The researchers, however, question the tool’s legitimate features, saying it has password stealing functions for 25 common applications like popular web browsers, email and FTP clients.

Loki malware falls strictly into the info-stealing category, looking to grab passwords. It is regularly advertised as such and its description adds that it can target cryptocurrency wallets, too.

As for the Gamarue family of threats, it has a track record in providing botnet herders with new bots. It is a worm, so it spreads quickly to vulnerable systems, giving its operator access to them. Although it is not its specialty, Gamarue can be used to steal sensitive information.