Exploiting Legacy Vulnerabilities and JavaScript Malware Targeting Financial Institutions Complex Tactics

In a concerning trend, threat actors highlight Microsoft Office vulnerability, CVE-2017-11882, to propagate phishing campaigns featuring Agent Tesla malware. 

Zscaler ThreatLabz has opened insights into these malicious activities, showing cyber adversaries’ intricate infection chains and tactics.

Decoy Documents Concealing Danger

The attack vectors involve the distribution of decoy Excel documents, cleverly camouflaged within invoice-themed emails. 

These seemingly innocuous attachments aim to deceive recipients into triggering the exploitation of CVE-2017-11882, a memory corruption vulnerability residing in Office’s Equation Editor, boasting a CVSS score of 7.8.

#Agenttesla
MalSpam -> zip -> html -> extracted encrypted .zip from base64 (Password is 51042) -> extracted EXE loader -> exfiltrated data over SMTPS (TCP/587 STARTTLS)

C2: mail.]svnprintechnologies.]com:587

Account compromised for exfiltration:… pic.twitter.com/ZzEy7K8UMj

— Ven0m (@V3n0mStrike) December 19, 2023

Seamless Code Execution

A malicious communication is initiated once the unsuspecting user opens the infected Excel file. If the Microsoft Excel version is vulnerable, the malware speeds up the download of additional files seamlessly, requiring no further user interaction. 

This marks a disturbing evolution in attack methodologies as the exploitation of legacy vulnerabilities persists.

Agent Tesla: A Stealthy Threat

Agent Tesla, the ultimate payload, is a . NET-based advanced keylogger and remote access trojan (RAT). 

This sophisticated malware is adept at harvesting sensitive information from compromised hosts and establishing communication with a remote server to extract the pilfered data. 

The Windows Assembly Registration Tool, RegAsm.exe, has a history of exploitation, having been leveraged to deploy the notorious Quasar RAT.

JavaScript Malware Targets Global Financial Institutions

A recently identified strain of JavaScript malware is spreading a sophisticated assault on over 40 financial institutions worldwide, marking a significant cybersecurity concern. 

The campaign, employing JavaScript web injections, has reportedly infiltrated at least 50,000 user sessions across North America, South America, Europe, and Japan.

Discovery and Intentions

IBM Security Trusteer sounded the alarm on this campaign in March 2023. Security researchers emphasized that the web injection module’s primary goal is to compromise popular banking applications. 

Once the malware infiltrates a system, it intercepts users’ credentials for potentially monetizing sensitive banking information.

Dynamic Attack Chains and Delivery Mechanisms

The attack chains exhibit a calculated approach, utilizing scripts loaded from a threat actor-controlled server, specifically identified as “jscdnpack[.]com.” 

The malware strategically targets a typical page structure shared by several banks. The means of delivery to targets remain speculative, potentially involving phishing emails or malvertising.

Dissuading Victims and Seizing Control

Upon receiving instructions from the server, the malware takes subversive actions. 

It erases traces of injections, introduces fraudulent user interface elements to accept OTPs, and strategically displays an error message proclaiming online banking services’ unavailability for 12 hours. 

This tactical move aims to dissuade victims from logging in, allowing threat actors to seize control of accounts and execute unauthorized actions.

Sophisticated Tactics Genesis You Must Be Aware!

Security researcher Kaivalya Khursale brings into light the dynamic nature of threat actors, emphasizing the constant adaptation of infection methods. 

Organizations are urged to remain vigilant of evolving cyber threats to fortify against such sophisticated incursions.

IBM Security Trusteer is also citing advanced capabilities in executing man-in-the-browser attacks. The malware’s dynamic communication, web injection methods, and adaptability to server instructions.