Published: 22 November 2018
Filed Under:

Mimecast protects against new cyber attacks

New cyber attacks, which can include tampering with a well-known exploit chain to blind antivirus solutions, have been uncovered, which is spreading information-stealing malware.

Researchers from Cisco Talos said on earlier this month that the new malware campaign is spreading Agent Tesla, a virulent form of spyware.

The Trojan can monitor and collects the victim’s keyboard inputs, system clipboard, take screenshots, and exfiltrate credentials belonging to of a variety of software installed on a victim’s machine. This includes the Google Chrome and Mozilla Firefox browsers and the Microsoft Outlook email client.

Alongside Agent Tesla, the campaign also spreads Loki, another information and credential stealer.

While spyware and surveillance malware is often spread covertly through phishing attacks, bundled as Potentially Unwanted Programs (PUP) with other software, and downloaded through malicious links, the latest attacks have revealed something unusual.

The threat actors behind the campaign have tampered with a well-known exploit chain and “modified it in such a way so that antivirus solutions don’t detect it,” according to Talos.

The hackers have created an infrastructure leveraging CVE-2017-11882 and CVE-2017-0199 — a remote code execution flaw in Microsoft Office and a memory handling bug which permits arbitrary code execution — to distribute Agent Tesla and Loki.

However, the infrastructure is also being used to distribute other forms of malware, including the Gamarue Trojan, which has been connected to botnets.

The attack begins with downloading a malicious Microsoft.DOCX file containing instructions to download an RTF file from inside the document. This tweak in the exploit chain goes unnoticed by antivirus solutions.

“At the time the file was analysed, it had almost no detections on the multi-engine antivirus scanning website VirusTotal,” the researchers say. “Only two out of 58 antivirus programs found anything suspicious. The programs flagged this sample only warned about a wrongly formatted RTF file.”

The RTF file format, developed by Microsoft, is intended to act as a cross-platform document interchange.

Some Arc Systems customers are already protected by this new attack. MIMECAST is the perfect solution to protect you from related cyber-related attacks.

Mimecast provides critical defence against spam, commodity, and complex targeted email-borne attacks. With their comprehensive email security, Mimecast is designed to address the most complex email threats, providing a level of protection allowing you to focus on what is most important – your organisation.

Watch the video below to show how Mimecast are protecting business through their software and if you require further information on how Arc Systems can help, drop us an email at [email protected].

Find out more about cyber security threats and how to protect your business.

Find out more about how Mimecast protects against new cyber attacks.

Find out more about how cyber thieves can hijack payment data on your website.

Find out more about the UK Government Cyber Essentials scheme.