easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114Introduction<\/p>\n
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects.<\/p>\n
In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques.
\nKey Takeaways<\/p>\n
\tThreat actors strategically utilize words like \u201corders\u201d and \u201cinvoices\u201d in spam emails to encourage users to download malicious attachments containing CVE-2017-11882.
\n\tThreat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts.
\n\tThreat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.<\/p>\n
Microsoft Excel Infection Sequence<\/p>\n
Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.<\/p>\n
Figure 1: Spam email example<\/p>\n
Figure 2: Spam email example<\/p>\n
To make these spam emails seem legitimate, threat actors use words like \u201cinvoices\u201d and \u201corder\u201d in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.<\/p>\n
Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file. <\/p>\n
Figure 3: Malicious communication and additional file download<\/p>\n
Figure 4 shows the actual obfuscated VBS file.<\/p>\n
Figure 4: Obfuscated VBS file<\/p>\n
The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.<\/p>\n
Figure 5: Malicious JPG file (steganography image)<\/p>\n
The JPG file contains a Base64-encoded DLL, as shown in Figure 6. <\/p>\n
Figure 6: Base64-encoded DLL inside an image<\/p>\n
Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.<\/p>\n
Figure 7: Malicious command that loads and runs the DLL file<\/p>\n
After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.<\/p>\n
Figure 8: Process tree and thread injection in RegAsm.exe<\/p>\n
From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.<\/p>\n
Figure 9: Thread injected into RegAsm.exe<\/p>\n
Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.<\/p>\n
Figure 10: Browser data theft<\/p>\n
In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.<\/p>\n
Figure 11: Agent Tesla steals data from Outlook<\/p>\n
As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.<\/p>\n
Figure 12: Keyboard and clipboard hooks<\/p>\n
In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor’s function intercepts before the action occurs.<\/p>\n
Figure 13: Window hooking<\/p>\n
From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.<\/p>\n
Figure 14: Exfiltrate to Telegram
\nConclusion<\/p>\n
Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape. <\/p>\n
In addition to staying on top of these threats, Zscaler’s ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community.
\nZscaler Coverage<\/p>\n
\tWin32.Backdoor.Agenttesla.LZ
\n\tXLS.Exploit.CVE-2017-11882
\n\tDOC.Exploit.CVE-2017-11882<\/p>\n
Indicators of Compromise (IOCs)<\/p>\n
Telegram URLs used for exfiltration<\/p>\n
\tapi.telegram[.]org\/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs
\n\tapi.telegram[.]org\/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk\/sendDocument
\n\tapi.telegram[.]org\/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE\/sendDocument<\/p>\n
Malicious URLs<\/p>\n
\t79.110.48[.]52\/nicko.vbs
\n\t79.110.48[.]52\/nix.txt
\n\t193.42.33.51\/knog.txt<\/p>\n
Malicious Excel files<\/p>\n
\t201CD0A2FC6A87D25D6AED1E975FAE71 (CVE-2017-11882)
\n\t38f6b4d5804de785b925eb46ddd86d6f (CVE-2017-11882)
\n\tC1521547DEA051BD7A007516511FB2CA (CVE-2017-11882)
\n\tdddabc8019a7184055301927239a9438 (CVE-2017-11882)<\/p>\n
Malicious VBS files<\/p>\n
\tF302ADDF3B4068888788D8EDCE8F52A0
\n\t1402E4408F123DA1E9BC3BDE078764FC
\n\tA1C2B285A7FF9DD99C70E4D750EFEA51<\/p>\n
Malicious JPG files<\/p>\n
\t8496654930be3db6cea0ba62ffe5add9
\n\td6f8c9a88cbdd876695f4bef56972f2e
\n\t8d17b59e8bb573b12a9d0e42746f8aef<\/p>\n
Malicious DLL files<\/p>\n
\t8955B482E59894864BACE732302A9927
\n\tF5F51251DC672E1934746E0057011B1A
\n\t5630282A95AFD2A5CEEECC5ACF7FF053<\/p>\n
Malicious executables<\/p>\n
\t547b88c4aa225377d7d65e912d81fe28
\n\t87aa9fc1bf49d48234160a15515a8145
\n\t0ada110f82ce64fcfab0eb0e5d8d948e
\n\t32e9af7d07a5edcc9bf9b5c8121acc55
\n\tb551da554933c2c064f96aaa6aa9ff55
\n\t7ea06a0e6c1e5707a23364ae6984b4f3
\n\tf3f27883dc91a7c85a03342bf6fed475
\n\t7c9ad2b73748f8c745d5d49b9b4876c5
\n\ta8c8010963f35fc3253d6409c169a9f2
\n\td6a1feb6cfa307c5031ea2dd2118d786
\n\t069bb6a37f9312ba4fea6c70b7134d39
\n\t6bdb7a11d0eaa407e7a7f34d794fb567
\n\tf11d72bc4192b2ed698cc2b0200773bf
\n\ta55302ad4bf2f050513528a2ca64ff01
\n\t01b02fc9db22a60e8df6530a2e36a73b
\n\t43ec3cc0836bd759260e8cf120b79a7b
\n\t5477e3714c953df2bb3addf3bebbda9a
\n\tbe1858db74162408c29c8b8484b3cf88
\n\t38bb6b06907c6e3445aa23c8d229e542
\n\t05bc545b9b0de1ccb4254b59961ea07b
\n\t25a697d0e6c5fa06eea8ba0d3ae539da
\n\t8a081a4f6c497c60c6e72dfabfe30326
\n\tad0f5f4994a2998f0e1ed3323884837c
\n\t092ff92d9bfa9cac81a8b892d495f42e
\n\t09f197fc8d69ec14875723f1e6e623bf
\n\t0eba69a4ad399db14a2743b4d68f13e8
\n\t19eab6a97cea19473bda3010066c5990
\n\tcb2b5646d68279aea516703df3c4c1e9
\n\t3247ad04996dd2966800153e7ea14571
\n\t92d1ece422670dbf9a3e1aef45612b5c
\n\tf25da7cd5fb33e7a0967dbcdf008bd9a
\n\ta7f2d131a2f3f61978ec17395f7b34b1
\n\t39088a9e4ad3e7a8ba4686641569dbcd
\n\t210e9a89b723b3246a7d590c9a428c83
\n\tefc3a41ecae822eba861cb88c179c80e
\n\tc01e90db99bcc939f829a181aef2c348
\n\tb18ba839dfd653b07b984330dd85b57a
\n\ta8e8d4667f96ea847d18eb7830fb1dc6
\n\tc38b8d525f48cbdf92381274059d8f0b
\n\t6e0dafacdeee6f2d9463d0052db5cce8
\n\tb6f892c73fa0f491072592d7baf0c916
\n\tbf9d9c9a95fdb861c583dc9b66bcf5ab
\n\t0043f65755a700b94a57118a672df82c
\n\tadbf1e2f49d842aac524d7ac351ca5b4
\n\td55bdb3593664d806794d00025390081
\n\t935e75cbd0f207bfeb6d3b5d90e35685
\n\tdb4bfb57c7acd8d568a06a9c3739e146
\n\t08e1955de35005b335be2e100d2d4a3c
\n\te57882623add29cbfa8c93d011b52c44
\n\te6c4636c331af09568a68dcf3614cfa4
\n\tbe71e90f09a38adfe22d34e3dd044fad
\n\te9d4e5b8b80dcb4fcf5af8413066434e
\n\t413af1ff38e6a4e205c6f487d042b457
\n\tf1a1542bbccea9a4e6746040d85eae1b
\n\t05d60c7be299fc0220ffcaf3b1482652
\n\t5373b6dce20bbb0218034aa9bf0c20df
\n\t1e22cd428f5baf23877a8189469ed92a
\n\tb76d8d59b53f58dd876951044e6d88b9
\n\ta29585da474f79a723894c1a56f65b85
\n\t2639c8b09f744e95ba612c89ef26e02c
\n\tbba5761789159b5a1a23566506358c15
\n\t3d8414800762efb9276a999fc477211b
\n\tf0af137175487b4d1249921ce506efe9
\n\t2123f750f5b854b439349576118d9b9d
\n\t7b6ec969d4110722b427de45ca1c0d42
\n\t6dfc461ecf4f2fe4c5f44cdeb6792226
\n\t0708c52198a49bc7ab16bce19472598a
\n\t00b28f548f14de4f53abd6651bf78b98
\n\tea1472bad426efded678a15c9a14bf34
\n\tdadb38b97d45d7438fbd43911a71d844
\n\td7ebf4ab7bb0ab685e3902349d637e9b
\n\taff1e141f15d808d5d4f549ea99c1e4d
\n\tbbc7c66b301d3087cfdaa89528832895
\n\te6926fc50f40c5c5feb676b0adcb7655
\n\t3c3580dfbc1f06636fe5696879cbdd85
\n\tb7dba4e30a73f58740d316c46645b759
\n\t7b1bc15873c39866b429d44da8640285<\/p>\n
Agent Tesla pilfers data from the following browsers:<\/p>\n
\tEdge Chromium
\n\tPostbox
\n\tIridium Browser
\n\tElements Browser
\n\tCitrio, CentBrowser
\n\tEpic Privacy
\n\tSeaMonkey
\n\tVivaldi
\n\tYandex Browser
\n\tAmigo
\n\t7Star
\n\tKometa
\n\tIceCat
\n\tCool Novo
\n\tFlock
\n\tCoowon
\n\t360 Browser
\n\tBrave
\n\tWaterFox
\n\tChromium
\n\tLiebao Browser
\n\tCyberFox
\n\tPaleMoon
\n\tThunderbird
\n\tQIP Surf
\n\tSleipnir 6
\n\tSputnik
\n\tIceDragon
\n\tCoccoc
\n\tK-Meleon
\n\tComodo Dragon
\n\tChedot
\n\tOpera Browser
\n\tBlackHawk
\n\tFirefox
\n\tTorch Browser
\n\tUran
\n\tOrbitum<\/p>\n
Agent Tesla tries to steal credentials from the following mail and FTP clients:<\/p>\n
\tPaltalk
\n\tWinSCP
\n\tSafari for Windows
\n\tFTP Navigator
\n\tDiscord
\n\tFalkon Browser
\n\tMailbird
\n\tQQ Browser
\n\tClawsMail
\n\tPidgin
\n\tEudora
\n\tFTPGetter
\n\tBecky!
\n\teM Client
\n\tIncrediMail
\n\tJDownloader 2.0
\n\tPsi\/Psi+
\n\tFoxMail
\n\tFtpCommander
\n\tFlock Browser
\n\tFileZilla
\n\tOutlook
\n\tWS_FTP
\n\tOpenVPN
\n\tPrivate Internet Access
\n\tIE\/Edge
\n\tSmartFTP
\n\tDynDns
\n\tOpera Mail
\n\tTrillian
\n\tCoreFTP
\n\tMysqlWorkbench
\n\tPocoMail
\n\tFlash
\n\tFXP
\n\tUC Browser
\n\tNordVPN
\n\tInternet Downloader Manager
\n\tWindows Mail App\u00a0\u00a0<\/p>\n
\u200b<\/p>\n
Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.<\/p>\n\n
Figure 1: Spam email example<\/p>\n\n
Figure 2: Spam email example<\/p>\n
To make these spam emails seem legitimate, threat actors use words like \u201cinvoices\u201d and \u201corder\u201d in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.<\/p>\n
Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file. <\/p>\n\n
Figure 3: Malicious communication and additional file download<\/p>\n
Figure 4 shows the actual obfuscated VBS file.<\/p>\n\n
Figure 4: Obfuscated VBS file<\/p>\n
The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.<\/p>\n\n
Figure 5: Malicious JPG file (steganography image)<\/p>\n
The JPG file contains a Base64-encoded DLL, as shown in Figure 6.\u00a0<\/p>\n\n
Figure 6: Base64-encoded DLL inside an image<\/p>\n
Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>><\/strong> and <<BASE64_END>><\/strong> tags. Figure 7, shown below, illustrates the command.<\/p>\n\n Figure 7: Malicious command that loads and runs the DLL file<\/p>\n After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.<\/p>\n\n Figure 8: Process tree and thread injection in RegAsm.exe<\/p>\n From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.<\/p>\n\n Figure 9: Thread injected into RegAsm.exe<\/p>\n Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.<\/p>\n\n Figure 10: Browser data theft<\/p>\n In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.<\/p>\n\n Figure 11: Agent Tesla steals data from Outlook<\/p>\n As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.<\/p>\n\n Figure 12: Keyboard and clipboard hooks<\/p>\n In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor’s function intercepts before the action occurs.<\/p>\n\n Figure 13: Window hooking<\/p>\n From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.<\/p>\n\n Figure 14: Exfiltrate to Telegram <\/p>\n \u00a0Introduction<\/p>\n First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects.<\/p>\n In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques. \tThreat actors strategically utilize words like \u201corders\u201d and \u201cinvoices\u201d in spam emails to encourage users to download malicious attachments containing CVE-2017-11882. Microsoft Excel Infection Sequence<\/p>\n Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.<\/p>\n Figure 1: Spam email example<\/p>\n Figure 2: Spam email example<\/p>\n To make these spam emails seem legitimate, threat actors use words like \u201cinvoices\u201d and \u201corder\u201d in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.<\/p>\n Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file. <\/p>\n Figure 3: Malicious communication and additional file download<\/p>\n Figure 4 shows the actual obfuscated VBS file.<\/p>\n Figure 4: Obfuscated VBS file<\/p>\n The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.<\/p>\n Figure 5: Malicious JPG file (steganography image)<\/p>\n The JPG file contains a Base64-encoded DLL, as shown in Figure 6. <\/p>\n Figure 6: Base64-encoded DLL inside an image<\/p>\n Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.<\/p>\n Figure 7: Malicious command that loads and runs the DLL file<\/p>\n After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.<\/p>\n Figure 8: Process tree and thread injection in RegAsm.exe<\/p>\n From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.<\/p>\n Figure 9: Thread injected into RegAsm.exe<\/p>\n Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.<\/p>\n Figure 10: Browser data theft<\/p>\n In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.<\/p>\n Figure 11: Agent Tesla steals data from Outlook<\/p>\n As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.<\/p>\n Figure 12: Keyboard and clipboard hooks<\/p>\n In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor’s function intercepts before the action occurs.<\/p>\n Figure 13: Window hooking<\/p>\n From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.<\/p>\n Figure 14: Exfiltrate to Telegram Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape. <\/p>\n In addition to staying on top of these threats, Zscaler’s ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community. \tWin32.Backdoor.Agenttesla.LZ Indicators of Compromise (IOCs)<\/p>\n Telegram URLs used for exfiltration<\/p>\n \tapi.telegram[.]org\/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs Malicious URLs<\/p>\n \t79.110.48[.]52\/nicko.vbs Malicious Excel files<\/p>\n \t201CD0A2FC6A87D25D6AED1E975FAE71 (CVE-2017-11882) Malicious VBS files<\/p>\n \tF302ADDF3B4068888788D8EDCE8F52A0 Malicious JPG files<\/p>\n \t8496654930be3db6cea0ba62ffe5add9 Malicious DLL files<\/p>\n \t8955B482E59894864BACE732302A9927 Malicious executables<\/p>\n \t547b88c4aa225377d7d65e912d81fe28 Agent Tesla pilfers data from the following browsers:<\/p>\n \tEdge Chromium Agent Tesla tries to steal credentials from the following mail and FTP clients:<\/p>\n \tPaltalk Introduction First discovered in 2014, Agent Tesla is an advanced […]<\/p>\n","protected":false},"author":0,"featured_media":2028,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2061","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n
\nKey Takeaways<\/p>\n
\n\tThreat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts.
\n\tThreat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.<\/p>\n
\nConclusion<\/p>\n
\nZscaler Coverage<\/p>\n
\n\tXLS.Exploit.CVE-2017-11882
\n\tDOC.Exploit.CVE-2017-11882<\/p>\n
\n\tapi.telegram[.]org\/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk\/sendDocument
\n\tapi.telegram[.]org\/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE\/sendDocument<\/p>\n
\n\t79.110.48[.]52\/nix.txt
\n\t193.42.33.51\/knog.txt<\/p>\n
\n\t38f6b4d5804de785b925eb46ddd86d6f (CVE-2017-11882)
\n\tC1521547DEA051BD7A007516511FB2CA (CVE-2017-11882)
\n\tdddabc8019a7184055301927239a9438 (CVE-2017-11882)<\/p>\n
\n\t1402E4408F123DA1E9BC3BDE078764FC
\n\tA1C2B285A7FF9DD99C70E4D750EFEA51<\/p>\n
\n\td6f8c9a88cbdd876695f4bef56972f2e
\n\t8d17b59e8bb573b12a9d0e42746f8aef<\/p>\n
\n\tF5F51251DC672E1934746E0057011B1A
\n\t5630282A95AFD2A5CEEECC5ACF7FF053<\/p>\n
\n\t87aa9fc1bf49d48234160a15515a8145
\n\t0ada110f82ce64fcfab0eb0e5d8d948e
\n\t32e9af7d07a5edcc9bf9b5c8121acc55
\n\tb551da554933c2c064f96aaa6aa9ff55
\n\t7ea06a0e6c1e5707a23364ae6984b4f3
\n\tf3f27883dc91a7c85a03342bf6fed475
\n\t7c9ad2b73748f8c745d5d49b9b4876c5
\n\ta8c8010963f35fc3253d6409c169a9f2
\n\td6a1feb6cfa307c5031ea2dd2118d786
\n\t069bb6a37f9312ba4fea6c70b7134d39
\n\t6bdb7a11d0eaa407e7a7f34d794fb567
\n\tf11d72bc4192b2ed698cc2b0200773bf
\n\ta55302ad4bf2f050513528a2ca64ff01
\n\t01b02fc9db22a60e8df6530a2e36a73b
\n\t43ec3cc0836bd759260e8cf120b79a7b
\n\t5477e3714c953df2bb3addf3bebbda9a
\n\tbe1858db74162408c29c8b8484b3cf88
\n\t38bb6b06907c6e3445aa23c8d229e542
\n\t05bc545b9b0de1ccb4254b59961ea07b
\n\t25a697d0e6c5fa06eea8ba0d3ae539da
\n\t8a081a4f6c497c60c6e72dfabfe30326
\n\tad0f5f4994a2998f0e1ed3323884837c
\n\t092ff92d9bfa9cac81a8b892d495f42e
\n\t09f197fc8d69ec14875723f1e6e623bf
\n\t0eba69a4ad399db14a2743b4d68f13e8
\n\t19eab6a97cea19473bda3010066c5990
\n\tcb2b5646d68279aea516703df3c4c1e9
\n\t3247ad04996dd2966800153e7ea14571
\n\t92d1ece422670dbf9a3e1aef45612b5c
\n\tf25da7cd5fb33e7a0967dbcdf008bd9a
\n\ta7f2d131a2f3f61978ec17395f7b34b1
\n\t39088a9e4ad3e7a8ba4686641569dbcd
\n\t210e9a89b723b3246a7d590c9a428c83
\n\tefc3a41ecae822eba861cb88c179c80e
\n\tc01e90db99bcc939f829a181aef2c348
\n\tb18ba839dfd653b07b984330dd85b57a
\n\ta8e8d4667f96ea847d18eb7830fb1dc6
\n\tc38b8d525f48cbdf92381274059d8f0b
\n\t6e0dafacdeee6f2d9463d0052db5cce8
\n\tb6f892c73fa0f491072592d7baf0c916
\n\tbf9d9c9a95fdb861c583dc9b66bcf5ab
\n\t0043f65755a700b94a57118a672df82c
\n\tadbf1e2f49d842aac524d7ac351ca5b4
\n\td55bdb3593664d806794d00025390081
\n\t935e75cbd0f207bfeb6d3b5d90e35685
\n\tdb4bfb57c7acd8d568a06a9c3739e146
\n\t08e1955de35005b335be2e100d2d4a3c
\n\te57882623add29cbfa8c93d011b52c44
\n\te6c4636c331af09568a68dcf3614cfa4
\n\tbe71e90f09a38adfe22d34e3dd044fad
\n\te9d4e5b8b80dcb4fcf5af8413066434e
\n\t413af1ff38e6a4e205c6f487d042b457
\n\tf1a1542bbccea9a4e6746040d85eae1b
\n\t05d60c7be299fc0220ffcaf3b1482652
\n\t5373b6dce20bbb0218034aa9bf0c20df
\n\t1e22cd428f5baf23877a8189469ed92a
\n\tb76d8d59b53f58dd876951044e6d88b9
\n\ta29585da474f79a723894c1a56f65b85
\n\t2639c8b09f744e95ba612c89ef26e02c
\n\tbba5761789159b5a1a23566506358c15
\n\t3d8414800762efb9276a999fc477211b
\n\tf0af137175487b4d1249921ce506efe9
\n\t2123f750f5b854b439349576118d9b9d
\n\t7b6ec969d4110722b427de45ca1c0d42
\n\t6dfc461ecf4f2fe4c5f44cdeb6792226
\n\t0708c52198a49bc7ab16bce19472598a
\n\t00b28f548f14de4f53abd6651bf78b98
\n\tea1472bad426efded678a15c9a14bf34
\n\tdadb38b97d45d7438fbd43911a71d844
\n\td7ebf4ab7bb0ab685e3902349d637e9b
\n\taff1e141f15d808d5d4f549ea99c1e4d
\n\tbbc7c66b301d3087cfdaa89528832895
\n\te6926fc50f40c5c5feb676b0adcb7655
\n\t3c3580dfbc1f06636fe5696879cbdd85
\n\tb7dba4e30a73f58740d316c46645b759
\n\t7b1bc15873c39866b429d44da8640285<\/p>\n
\n\tPostbox
\n\tIridium Browser
\n\tElements Browser
\n\tCitrio, CentBrowser
\n\tEpic Privacy
\n\tSeaMonkey
\n\tVivaldi
\n\tYandex Browser
\n\tAmigo
\n\t7Star
\n\tKometa
\n\tIceCat
\n\tCool Novo
\n\tFlock
\n\tCoowon
\n\t360 Browser
\n\tBrave
\n\tWaterFox
\n\tChromium
\n\tLiebao Browser
\n\tCyberFox
\n\tPaleMoon
\n\tThunderbird
\n\tQIP Surf
\n\tSleipnir 6
\n\tSputnik
\n\tIceDragon
\n\tCoccoc
\n\tK-Meleon
\n\tComodo Dragon
\n\tChedot
\n\tOpera Browser
\n\tBlackHawk
\n\tFirefox
\n\tTorch Browser
\n\tUran
\n\tOrbitum<\/p>\n
\n\tWinSCP
\n\tSafari for Windows
\n\tFTP Navigator
\n\tDiscord
\n\tFalkon Browser
\n\tMailbird
\n\tQQ Browser
\n\tClawsMail
\n\tPidgin
\n\tEudora
\n\tFTPGetter
\n\tBecky!
\n\teM Client
\n\tIncrediMail
\n\tJDownloader 2.0
\n\tPsi\/Psi+
\n\tFoxMail
\n\tFtpCommander
\n\tFlock Browser
\n\tFileZilla
\n\tOutlook
\n\tWS_FTP
\n\tOpenVPN
\n\tPrivate Internet Access
\n\tIE\/Edge
\n\tSmartFTP
\n\tDynDns
\n\tOpera Mail
\n\tTrillian
\n\tCoreFTP
\n\tMysqlWorkbench
\n\tPocoMail
\n\tFlash
\n\tFXP
\n\tUC Browser
\n\tNordVPN
\n\tInternet Downloader Manager
\n\tWindows Mail App\u00a0<\/p>","protected":false},"excerpt":{"rendered":"