Researchers recently discovered a set of Trojan malware programs that can easily steal data from their victims’ systems without getting detected by antivirus software.
The significance of this new finding is that the hackers behind this campaign have managed to alter a known exploit to insert the Trojan.
The name given is “Agent Tesla” and it is geared to steal data including passwords from victims’ systems without being noticed by their antivirus program.
Cisco Talos Reports the Malware Campaign
The research team at Cisco Talos was at the forefront warning the public at large about this malware campaign.
According to Cisco Talos’ written report, there are at least three different payloads found to be used by the hackers behind the campaign. These are Agent Tesla, Loki and Gamarue.
Describing how the cyberattack is mounted, the researchers have revealed that the malicious payload is hidden in a normal-looking Microsoft Word document (that has a .docx suffix) and comes as an attachment to an email.
In that sense, this is a type of phishing attack. There is a RTF file in this email attachment that has these Trojans.
Researchers found that practically every known AV failed in the attempt to trace Agent Tesla. There were only two antivirus programs (out of the 58 they tried) that could do it, but they too did not categorize them as malware. The descriptions came up as “RTF/Malform-A.Gen” and “RTFBadVersion.”
How the Exploit Chain Got Modified
The hackers have used the object linking and embedding or OLE route to escape detection by the antivirus firmware.
The vulnerability CVE-2017-11882 in Microsoft Word that leads to memory corruption is the vehicle used to carry the payloads, and the stealth quality has been achieved by clever writing of the contents within the payload to help in their obfuscation.
One more known vulnerability, CVE-2017-0199, has been found to be used as well. And the cleverness lies in the fact that the victim does not even have to click something to precipitate the payload being inserted.
All Three Can Steal Data
In their detailed research report on this malicious exploit, the Cisco Talos team has gone ahead and described the characteristics of each malware program.
In their opinion, Agent Tesla is a Trojan entrusted with the task of stealing information but it does it in a sophisticated manner. Stealing passwords for its developers is something it does quite deftly.
Loki is another Trojan and this too does the password-stealing act dutifully. The malware is pushed out through advertisements mentioning this capability, and it is believed it can enter into cryptocurrency wallets as well.
The last one, Gamarue, acts more like a worm. It can spread within targeted systems in a rapid progression and then the remote controllers take over to inflict what damage they like.
This malware can be deployed to steal data too, though that may not be its professed job.
Hackers Proving a Point
In the criminal world it has been the situation where those perpetrating crimes are a couple of steps ahead of the law enforcement agencies.
The ability of the investigating agencies to first detect a crime and then the modus operandi and finally to nab the culprits has not been universally consistent.
And finally getting the courts to punish the ones arrested and tried poses an additional challenge. In the virtual world, the hackers are the criminals.
They steal information and use it siphon away funds or hold their victims to ransom using ransomware and asking them to cough up money to release precious data.
There are two sets of people involved in trying to keep up with the methods used by the hackers. One is the cybersecurity expert community that has to keep reinventing itself to develop products that can prevent the hacking attempts. The other is the cybercrime-busting law enforcement agencies.
The battle for supremacy between the cybercriminals and the ones ranged against them is still on.