New Case Study: Threat Hunter finds renamed system utilities by file hash to uncover multiple attacks   

Read Case Study

Search

New Campaign Delivers Multiple Malware Families

October 18, 2018

Researchers have discovered a new malware campaign that delivers multiple malware families via two exploits. The two exploits, CVE-2017-0199 and CVE-2017-11882, are public exploits for Microsoft Word. The campaign will deliver at least three payloads which are Agent Tesla, Gamarue, and Loki. All three can steal information, however Loki is the only one that lacks remote access. The attack begins with a malicious email that contains a Word document which includes routines for downloading and opening an RTF file. The RTF file will deliver the final payload and will pass antivirus software unnoticed. The RTF file goes unnoticed because of modifications made to the exploit chain. Researchers claim, “The stealth of the payload-dropping drill relies on the particularities of the RTF file format, which supports embedding objects via OLE (Object Linking and Embedding) and uses a large number of control words to define the content it holds.” Common RTF parsers usually ignore what they don’t know, which makes it easier to hide the exploit code. Users will not have to change any settings for Word or click on anything to launch the exploit. The attacker changed the OLE object header values to help go undetected as well. Following the header, they added data that looked like a font tag, but it turned out to be the exploit for the CVE-2017-11882 memory corruption vulnerability in Microsoft Office. The changes made were low-level and made everything look different, but the technique is still dangerous.