Spyware Pushers Modify Equation Editor Exploit to Bypass AV Detection

In a case that shows you can teach an old exploit new tricks, a group of attackers who push information-stealing malware modified a well-known exploit in a way that it bypasses detection by most antivirus programs.

The incident was reported by researchers from Cisco Systems’ Talos group, who noted that the attack exploits a old vulnerability in Microsoft Office called CVE-2017-11882 and is used to install information-stealing trojans such as Agent Tesla and Loki.

The CVE-2017-11882 flaw allows for remote code execution and is located in a Microsoft Office component called the Equation Editor, which is used to display scientific equations inside documents. The vulnerability can be exploited through specifically crafted documents in RTF format.

The flaw received a lot of attention in November last year because Microsoft patched it by modifying the Equation Editor binary directly instead of fixing it in the source code. This prompted speculation that Microsoft no longer had access to the source code of the old component and the company eventually removed it from Office in January after another serious vulnerability was discovered in it.

The CVE-2017-11882 vulnerability should be well-known to antivirus companies by now, especially since it has been used by multiple hacker groups. This means detection signatures for it probably exist in most security  products.

However, when the Talos researchers scanned the new malicious document they found on VirusTotal, only two out of 58 antivirus products flagged it as suspicious, and that happened because of wrong formatting in the file rather than clear malicious content.

It turns out the attackers found a way to obfuscate the exploit so the malicious code becomes invisible to the RTF parsers used by most antivirus engines.

“The big disadvantages of the RTF standard are that it comes with so many control words and common RTF parsers are supposed to ignore anything they don’t know,” the Talos researchers said in a blog post. “Therefore, adversaries have plenty of options to obfuscate the content of the RTF files.”

It’s worth pointing out though that the VirusTotal multi-engine scanner only relies on the signature-based detection of antivirus programs and doesn’t use their more advanced layers, such as behavioral detection. These additional features might catch the exploit in a real-world deployment at a later stage—for example, when it spawns suspicious processes or attempts to download the malicious payload from an URL.

One of the observed payloads in the attack analyzed by Talos was a Trojan program called Agent Tesla that can steal passwords from 25 applications including browsers, email agents and FTP clients. The Trojan also can take screenshots, log keystrokes and install additional malware.

“It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode,” the researchers said. “Either way, this shows that the actor or their tools have ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability. This is a technique that could very well be used to deploy other malware in a stealthy way in the future.”

Researchers Find 2018 U.S. Voter Records for Sale Online

U.S. voter registration databases containing the personal information of an estimated 35 million people from 19 states is being sold online on a cybercrime forum.

The listing was spotted by researchers from security firms Anomali and Intel 471 and reportedly contain full names, addresses, phone numbers and voting data. The price ranges between $150 and $12,500 depending on state and size of database.

Voter information is considered public records in some states and is made available for legitimate uses. In fact, the underground seller claims they receive weekly updates of voter registration data from contacts within the state governments, suggesting the databases were not obtained through hacking.

“To our knowledge, this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including US voters’ personally identifiable information and voting history,” the Anomali researchers said in a blog post. “With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large-scale identity theft.”

Featured eBook
Automating Open Source Security: A SANS Product Review of WhiteSource

Automating Open Source Security: A SANS Product Review of WhiteSource

Many sources indicate that 60–80 percent of code in applications today is based on open source components. This open source code often includes vulnerabilities that, if not managed properly, can expose organizations to potential breaches. This paper takes a close look at how WhiteSource can automate the process of open source component vulnerability detection, remediation, ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 294 posts and counting.See all posts by lucian-constantin