Keypoints
- Campaign begins with spam emails using themes like “orders” and “invoices” to deliver Excel attachments that exploit CVE-2017-11882.
- The initial exploit triggers a multi-stage chain: a downloaded obfuscated VBS file, a steganographic JPG with a Base64 DLL, and a PowerShell loader.
- The VBS uses extreme obfuscation (very long variable names) to complicate analysis and orchestrates retrieval and execution of the embedded DLL.
- PowerShell extracts the Base64 payload delimited by <> and <>, decodes the DLL and loads its procedures in memory.
- The DLL executes RegAsm.exe and injects a thread into that process to fetch and execute the Agent Tesla payload, hiding its activity under a legitimate binary.
- Agent Tesla deploys keyboard and clipboard hooks, window hooking, and browser/mail/FTP credential harvesting across numerous applications and browsers.
- Exfiltration of stolen data is performed via Telegram bot API endpoints controlled by the threat actors.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – used to deliver malicious Excel attachments that lure users with invoice/order themes (‘Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882.’)
- [T1203] Exploitation for Client Execution – attackers exploit CVE-2017-11882 in the Equation Editor to achieve remote code execution (‘The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office.’)
- [T1059.001] PowerShell – PowerShell is executed by the VBS to fetch, extract, decode and load the Base64-encoded DLL from the image (‘the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL.’)
- [T1027] Obfuscated Files or Information – heavy obfuscation is used to hinder analysis, e.g., extremely long variable names in VBS (‘The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation.’)
- [T1055] Process Injection – the DLL injects a thread into RegAsm.exe to execute Agent Tesla under a legitimate process (‘the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process.’)
- [T1056] Input Capture – Agent Tesla deploys keyboard and clipboard hooks to capture keystrokes and copied data (‘Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.’)
- [T1041 / T1071.001] Exfiltration over C2 / Application Layer Protocol – stolen data is sent to Telegram bot API endpoints controlled by the threat actors (‘the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor.’)
Indicators of Compromise
- [Telegram API endpoints] Exfiltration endpoints used by attackers – api.telegram[.]org/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs, api.telegram[.]org/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk/sendDocument
- [Malicious URLs / IPs] Hosts serving VBS/JPG/DLL artifacts – 79.110.48[.]52/nicko.vbs, 193.42.33.51/knog.txt
- [Malicious Excel file hashes] Exploit-laden documents – 201CD0A2FC6A87D25D6AED1E975FAE71, 38f6b4d5804de785b925eb46ddd86d6f (and other exploit-file hashes)
- [Malicious VBS hashes] Obfuscated VBS dropper samples – F302ADDF3B4068888788D8EDCE8F52A0, 1402E4408F123DA1E9BC3BDE078764FC
- [Malicious JPG hashes] Steganographic images containing Base64 DLLs – 8496654930be3db6cea0ba62ffe5add9, d6f8c9a88cbdd876695f4bef56972f2e
- [Malicious DLL/executable hashes] Loader and payload binaries – 8955B482E59894864BACE732302A9927, F5F51251DC672E1934746E0057011B1A (and many additional DLL/executable hashes)
Threat actors exploit CVE-2017-11882 by sending malicious Excel attachments (labeled with business themes to increase click-through). When opened on vulnerable Office versions, the exploit triggers network retrieval of a heavily obfuscated VBS dropper which then downloads a steganographic JPG containing a Base64-encoded DLL.
The VBS launches PowerShell to extract the Base64 blob delimited by <> and <>, decode it into a DLL, and load its functions in memory. That DLL then runs RegAsm.exe and injects a thread into the RegAsm process to fetch and execute the Agent Tesla payload, using thread/process injection to hide execution under a legitimate binary.
Agent Tesla, once running, installs keyboard and clipboard hooks and uses window hooking to capture keystrokes and copied data, harvests stored credentials from numerous browsers and mail/FTP clients, and exfiltrates the collected data to attacker-controlled Telegram bot API endpoints. The chain uses obfuscation, long variable names, and steganography to evade detection and complicate analysis.