Agent Tesla exploits MS Excel flaw in ongoing phishing attacks

SISA Weekly Threat Watch, 01 January, 2024

This week’s cybersecurity landscape witnessed a diverse array of threats and malware, highlighting emerging trends and sophisticated attack methods. Notable instances include phishing campaigns deploying unusual programming to deliver backdoors, rogue WordPress plugins targeting e-commerce sites for credit card theft, cybercriminals exploiting Microsoft Office vulnerabilities, the resurgence of a notorious banking malware, and a critical RCE flaw discovered in a widely used ERP system. These threats emphasize the need for comprehensive cybersecurity strategies and proactive measures to mitigate risks and fortify defenses against evolving cyber threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Decoy Microsoft Word documents used to deliver Nim-Based malware

A recent phishing campaign employs Microsoft Word attachments as decoys to deliver a Nim-programmed backdoor, posing a challenge due to the uncommon use of this language, hindering the investigation efforts of security researchers. Security analysts revealed this trend’s emergence, citing instances like NimzaLoader, Nimbda, and Dark Power ransomware, showcasing attackers’ shift to Nim. Their detailed analysis highlighted a phishing chain triggering Nim malware through macros in Word documents masquerading as Nepali government communications.

The fraudulent invoices, seemingly from ‘,’ prompt recipients to dispute charges by calling a provided number within 24 hours. Victims who make the call connect with cybercriminals posing as customer support, leading to the installation of BazarLoader malware onto their systems. To counter such threats, it is recommended to invest in AI-driven email security solutions and integrate behavioral AI for anomaly detection for better threat identification and response.

2. Hackers exploiting MS Excel vulnerability to spread Agent Tesla malware

Malicious actors are exploiting the CVE-2017-11882 vulnerability in Microsoft Office through phishing attacks, using fake Excel invoices to distribute the Agent Tesla malware. These deceptive emails trick users into opening Excel files, enabling the vulnerability in Office’s Equation Editor, potentially leading to unauthorized code execution. The attack employs an obfuscated Visual Basic Script in Excel, triggering the download of a hidden DLL file within a JPG image, subsequently injected into RegAsm.exe to execute the final payload—Agent Tesla, an advanced keylogger and RAT.

Concurrently, threat actors target old security flaws like Oracle’s CVE-2020-14883 and promote DarkGate malware. Additional phishing tactics extend to Instagram, where deceptive emails lure users to fraudulent web pages, aiming to obtain two-factor authentication backup codes, bypass account protections, and compromise accounts. Security researchers emphasize the evolving nature of these threats, urging organizations to take proactive measures such as regular patching, robust phishing awareness training, advanced threat protection, and multi-factor authentication 

3. Carbanak banking malware resurfaces as ransomware attacks surge 

Carbanak, a notorious banking malware, has recently updated its tactics, incorporating diverse attack methods and targets. Associated with ransomware gangs like FIN7, Carbanak has expanded its strategy by using compromised websites to host disguised malicious installer files resembling legitimate business-related software HubSpot, Veeam, and Xero.

This evolution aims to deceive users into initiating the deployment of Carbanak. To defend against such threats, organizations are advised to implement robust cybersecurity measures, including regular offline backups, comprehensive employee training on cybersecurity practices, timely system updates, network segmentation, and reliable endpoint protection with real-time scanning. 

4. Rogue WordPress plugin puts e-commerce sites at risk of credit card theft

Threat hunters have discovered a rogue WordPress plugin involved in a Magecart campaign, specifically targeting e-commerce websites by injecting malicious JavaScript to skim credit card information. These malicious plugins infiltrate WordPress sites through compromised admin accounts or plugin vulnerabilities, replicating themselves to evade detection. Deceptive tactics, like falsely claiming association with ‘WordPress Cache Addons’ in comments, create an illusion of legitimacy.

To avoid easy removal, the malware employs tactics like unregistering callback functions and creating hidden admin accounts. Its primary aim is to inject credit card-stealing malware into checkout pages and send data to an actor-controlled domain. Another Magecart campaign overlays a fake “Complete Order” button to trigger skimmer code insertion using the WebSocket protocol. To prevent such attacks, it is recommended to perform file integrity checks, update WordPress plugins, and themes, and regularly audit them to prevent such malicious injections.

5. CVE-2023-49070: Critical pre-auth RCE vulnerability in Apache OFBiz 

A critical security flaw, CVE-2023-49070, has been discovered in Apache OFBiz, an open-source enterprise resource planning (ERP) system widely used by large-scale businesses. This flaw poses a significant risk of Remote Code Execution (RCE) as it permits unauthenticated attackers to inject malicious code into vulnerable applications. Exploiting this vulnerability could grant adversaries full control over the server, empowering them to compromise sensitive data, disrupt operations, or potentially launch additional attacks.

Exploiting this flaw does not require prior authentication and originates from a deprecated and unmaintained XML-RPC component within Apache OFBiz. A Proof of Concept (PoC) exploit code for this security flaw has been publicly released. To mitigate this risk, immediate application of security patches is advised. Furthermore, organizations should implement stringent security measures, including input validation and output encoding, to prevent code injection attacks and bolster overall cybersecurity resilience.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider