Severity
Medium
Analysis Summary
Amid the COVID-19 pandemic, several threat actors have taken to using the virus and subsequent pandemic as a means of infiltration to victim’s computers. Agent Tesla, an information stealing malware, has been used extensively in these types of campaigns.
A victim receives a phishing mail with an attachment titled as “COVID 19 NEW ORDER FACE MASKS.doc.rtf “. This doc is an RTF file that exploits CVE-2017-11882 which is a stack-based buffer overflow vulnerability present in the Microsoft Equation editor tool.
This vulnerability allows the attacker to run arbitrary code and after successful exploitation to deliver the Agent Tesla payload. This dropped payload performs code injection in known windows process RegAsm.exe. The injected code in RegAsm.exe performs all info-stealing activity and sends it to the CnC server.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
Email Subject
- COVID 19 NEW ORDER FACE MASKS[.]doc[.]rtf
- COVID-19 SUSPECTED AFFECTED VESSEL[.]doc
IP
- 5[.]189[.]132[.]254
- 107[.]189[.]7[.]179
MD5
- 527142E25A8229D1DC910AF23CDB5256
- C1B04A9474CA64466AD4327546C20EFC
- F1E95D1E23A582E4EF8B19E55E21D40E
- 6D5ED323EF55F7BD34BC193DDC8AFE74
- C3166A86DBF5B6A95FC723EF639DAD45
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.