New Campaign Uses RTF Files to Drop Agent Tesla Trojan and Other Malware

A new attack campaign is using rich text format (RTF) files to distribute the Agent Tesla Trojan, along with other malware.

According to researchers at Cisco Talos, the campaign begins with a heavily obfuscated RTF file that at the time of analysis evaded detection by 56 antivirus programs. The file uses Microsoft Equation Editor to exploit CVE-2017-11882, a Microsoft Office memory corruption vulnerability that allows attackers to run arbitrary code. This stage in the attack chain employs a script to download the final payload.

In some cases, the payload takes the form of Loki malware. Other variants of the campaign deliver ‘xyz.123,’ which is actually a remote access Trojan (RAT) called Agent Tesla. This threat is capable of stealing passwords from 25 common applications, including Chrome, Firefox and Internet Explorer, and behaving like a rootkit by keylogging and stealing content from the clipboard.

A Familiar Infection Vector

This isn’t the first time an attack campaign has exploited CVE-2017-11882 to deliver malware. In the beginning of 2018, Cisco Talos observed an attack operation leveraging malicious PDF and Microsoft Word documents to exploit this same vulnerability, along with CVE-2017-0199, a Microsoft Office vulnerability that enables bad actors to execute arbitrary code using a crafted document. Successful exploitation dropped Formbook, a malware-as-a-service information stealer that can record keystrokes, steal passwords and take screenshots.

How to Defend Against RTF-Based Malware Campaigns

Security professionals can help protect their organizations against RTF-based malware campaigns by analyzing potentially malicious documents. Tools such as VBA Editor and oledump.py, for example, can help security teams extract macros from Office documents. Security professionals should also consider adopting a patch management strategy that helps track and remediate known vulnerabilities across all endpoints.

Sources: Cisco Talos, Cisco Talos(1)

Contributor'photo

David Bisson

Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley...