Microsoft Office is the recent target of Agent Tesla, which uses a modified exploit chain to deploy the malware. CVE-2017-0199 and CVE-2017-11882 were the two publicly exploited vulnerabilities. Downloads are turned into RTF documents through the malicious DOCXfile. “Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for ‘RTF/Malform-A.Gen,’ while Zoner said it was likely flagged for ‘RTFBadVersion’,” researchers said in a blog post. Recent changes made to the malware allowed for the malicious extension to pass antivirus scans. This is all thanks to the RTF file format, which gives the ability to embed objects with the OLE (Object Linking and Embedding) process, using control words to define its content. Information is stolen from Chrome, Firefox, Internet Explorer, Yandex, Opera, Outlook, Thunderbird, IncrediMail, Eudora, FileZilla, WinSCP, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock, and DynDNS. Agent Tesla has multiple capabilities such as capturing screenshots, recording webcam broadcasts, and allowing the attacker to add malware on the system that’s already infected.
