One of the main goals of antivirus software is to prevent spyware infections, which cyber attackers can use to breach the confidentiality of your computer’s data. But in order for this malicious spyware to work, it must be able to evade detection by antivirus software. Security researchers have discovered a new cyber attack campaign that can do precisely that by exploiting two known Microsoft Word vulnerabilities and deploying malware variants knows as Agent Tesla, Loki, and Gamarue upon their targets.
Agent Tesla
First reported on October 15, Agent Tesla steals credentials from the most popular web browsers, such as Google Chrome and Mozilla Firefox. It also performs form-grabbing attacks targeting web services like Instagram, Twitter, Gmail, and Facebook. It also can act as a keylogger, which means it can access a user’s clipboard and even record screenshots and video. But despite these capabilities, Agent Tesla’s developers insist their software isn’t malware. Their website says, “Agent Tesla is a software for monitoring your personal computer. It is not a malware. Please, don’t use it on computers without permission. Any use of the words ‘Slave,’ ‘Infect,’ ‘Bot,’ ‘Spread’ or ‘Hack’ will instantly cancel all your support, and if we have your username, you will be banned.”
While this warning may sound sincere, the truth is it could easily be applied to all sorts of super-dangerous tools, including nuclear bombs. For example, “A nuclear bomb is a tool for leveling landscapes. It is not a weapon of mass destruction. Please, don’t use it on countries without consent to destroy them.” Hmmmm…don’t hate the player, hate the game? It’s pretty common for spyware developers to insist their software isn’t malware, but the fact remains—it’s often used for mischief and the digital world would be a lot better without it.
Loki
Loki spyware has been seen for sale on the dark web and is described by researchers like this:
“Loki-Bot is a password stealer malware, which was seen recently seen in the wild. Loki has the ability to steal many different types of credentials. In addition, to see the whole picture, Loki also implements a keylogger component that enhances its abilities to steal passwords. For the last two years, hackers have been selling the malware including the C&C (command and control) for a low price of around $70, which is considered cheap.”
Gamarue
According to Microsoft, “This Gamarue malware family can give a malicious hacker control of your PC. The malware can also steal your sensitive information and change your PC security settings. We’ve seen them installed by exploit kits and other malware. They can also be attached to spam emails.” So this new cyberattack technique, which exploits known Microsoft Office vulnerabilities, can really wreak havoc on your privacy, regardless of which which malware it uses to deploy the exploit.
How This Malware Actually Works
This new cyber attack evades antivirus detection by injecting malicious files through certain processes. Specifically, Winword.exe is executed (Microsoft Word), then a new svchost.exe process, then EQNEDT32.exe (Microsoft Equation Editor). Through EQNEDT32.exe, a malicious “scvhost.exe” process is executed. Svchost.exe is usually a normal component of how Windows operates. If you launch the Task Manager within Windows at any given time, svchost.exe will probably be running at least a few different times, it’s basically just a “service host.” This new cyber attack executes “scvhost.exe.” It’s not the same filename, the v and the c have been swapped. Pretty stealthy, eh?
The particular vulnerabilities that are exploited with this new method are recorded as CVE-2017-0199 and CVE-2017-11882. CVE-2017-0199 was first reported in April 2017, and Microsoft describes it this way, “A remote code execution vulnerability exists in the way Microsoft Office and WordPad parse specially-crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of this vulnerability requires a user to open or preview a specially-crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, a cyber criminal could then exploit the vulnerability by sending a specially-designed file to the user and convincing the user to open the file.”
CVE-2017-11882 was first reported in November 2017, and Microsoft says:
“A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Microsoft goes on to say, “Exploitation of the vulnerability requires that a user open a specially-crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”
The new cyber attack campaign that was reported on October 15 isn’t the first time that cyber attackers have exploited the CVE-2017-0199 and CVE-2017-11882 Microsoft Office vulnerabilities in order to deploy malware. FormBook spyware has exploited the exact same vulnerabilities since at least May 2018. According to experts, “The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and Microsoft Office document) and used two public Microsoft Office exploits (CVE-2017-0199 and CVE-2017-11882) in order to drop the final payload on the targeted system. The final payload was downloaded during the campaign from a small Japanese file-sharing platform (hosted in Netherland). The platform owner has since deleted the malicious payload binaries from their system.”
What’s Next?
Microsoft has made patches available to address both the CVE-2017-0199 and CVE-2017-11882 vulnerabilities since 2017. But antivirus software needs to be able to detect malware by anomalous behavior, not just through file signatures. Certain anomalous behavior algorithms could be able to detect the newly discovered exploit. More importantly, Microsoft patched these vulnerabilities long before these new cyber attacks were discovered in the wild.
So the question is, why aren’t people and organizations installing all of Microsoft’s released security patches for Office and Windows? Doesn’t everyone know keeping your software updated can prevent these attacks?
Related Resources:
Ukraine Malware is a waring for war
Truth About Web Hosts and Malware
How Certain Malware will make you hack in your sleep
How to defend cryptocurrency malware