23 octoBER 2018

New RTF-Based Campaign Distributing Agent Tesla and Loki Trojans

A new RTF-based campaign has been discovered by researchers at Cisco Talos that is distributing two different sophisticated information stealing trojans: ‘Agent Tesla’ and ‘Loki’, that has slipped under the radar of common anti-virus solutions.

First Stage of Attack

The campaign utilises a memory buffer vulnerability that allows for arbitrary code execution, CVE-2017-11882, to download and open an RTF document from inside a malicious DOCX file.

It’s not the first campaign that has utilised this 17-year old vulnerability, we published a blog in January 2018 detailing exploitation of the flaw to distribute Zyklon malware.

When analysed, only two out of 58 antivirus programs found anything suspicious on VirusTotal. Those that flagged the sample were only warning about a wrongly formatted RTF file. However, Cisco’s Threat Grid painted a different picture and identified the file as malware due to its highly suspicious execution chain.

Cisco ThreatGrid Behavior Indicators (BI)

Cisco Talos Blog

What is RTF?

RTF is a proprietary document file format developed by Microsoft as a cross-platform document interchange. RTF documents support Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects via the ‘\object‘ control word, allowing users to link or embed an object from the same or different format.

The biggest disadvantage of RTF is that it comes with high-volume of control words and common RTF parsers are supposed to ignore anything they don’t know. Therefore, threat actors have plenty of options to obfuscate the content of the RTF files.

A tactic utilised in this particular campaign along with a trick that forces the embedded object to update before it’s displayed. In other words, the user does not have to click on the object, the exploit starts right away.

The malware initially runs the Microsoft Equation Editor, a tool used by Microsoft Office to embed mathematical equations into documents, to run “scvhost.exe” which creates the connection to the threat actor’s Command and Control (C2) server. This “scvhost.exe” also contains shellcode that eventually delivers the final payloads for both Agent Tesla and Loki onto the infected machine.

Final Payload

Agent Tesla

Agent Tesla is an information stealer/RAT sold by a company selling grayware products. It contains a number of questionable functions, such as password stealing, screen capturing and the ability to download additional malware. However, the sellers of this product say that it is used for password recovery and child monitoring.

It seems unlikely this is its true use-case when the malware comes with password-stealing routines for more than 25 common applications (see below) and other rootkit functions such as keylogging, clipboard stealing, screenshots and webcam access. 

  • Chrome
  • Firefox
  • Internet Explorer
  • Yandex
  • Opera
  • Outlook
  • Thunderbird
  • IncrediMail
  • Eudora
  • FileZilla
  • WinSCP
  • FTP Navigator
  • Paltalk
  • Internet Download Manager
  • JDownloader
  • Apple keychain
  • SeaMonkey
  • Comodo Dragon
  • Flock
  • DynDNS

Loki (also known as LokiBot)

Loki is also an information-stealing Remote Access Trojan (RAT) that can steal passwords, capture screens, access the webcam, and download additional malware onto the machine.

Our Recommendations

This is a highly effective malware campaign that is able to avoid detection by most antivirus applications and is a technique that could very well be used to deploy other malware in a stealthy way in the future.

The use of CVE-2017-11882 in the campaign more than a year after Microsoft released a patch demonstrates the necessity to patch your systems immediately once security updates are released to prevent future exploitation of them.