![]() ![]() NET compiled malware, goes through multiple layers of unpacking to deploy its final payload, starting from the downloaded executable to 2 stages DLLs. Technical analysisĪgent Tesla, which is a. When a victim opens the file, it initially sends an HTTP request to download the executable Agent Tesla payload and execute it. By force updating the file, the exploit starts immediately with no user interaction or knowledge. In other words, unlike how it usually is, the user doesn’t have to click on the object before it's loaded. This forces the embedded object inside the RTF file to update before it's displayed. From the screenshot below, we can see that the attackers leverage the “\objupdate” control word trick. To trick security solutions, attackers leverage Microsoft Object Linking and Embedding as well as many control words in the RTF body, so parsers ignore anything they don’t know and security tools don’t block the document for being malicious. Even though Microsoft patched this vulnerability in 2017, it didn’t stop it from being highly popular even 20 years later. This 20-year-old vulnerability exploits Microsoft Equation Editor, which is an old Microsoft Office component, that contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. ![]() In our sample, the Phishing email contained a highly obfuscated Rich Text Format (RTF) file exploiting CVE-2017-11882 to deliver the spyware. It has been observed dropping from weaponized documents that download the malware. Malicious attachments in phishing emails are the most common deployment method for Agent Tesla. This spyware is easy to get and easy to customize which makes it very popular. Agent Tesla is most commonly delivered via phishing campaigns and is sold and distributed across a number of hacking forums and platforms for anyone to purchase and use. This information can then be traded or used for business intelligence or ransom. It is used to steal sensitive information from a victim’s device such as user credentials, keystrokes, clipboard data, credentials from browsers, and other information. NET framework that has been observed since 2014 with many iterations since then. ![]() Agent Tesla is an extremely popular spyware Trojan written for the. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |