Attackers Exploit 6-Year-Old Microsoft Office Bug to Spread Spyware

Malicious attachments that exploit an RCE flaw from 2017 are propagating Agent Tesla via socially engineered emails and an evasive infection method.

Attackers are exploiting a 6-year-old Microsoft Office remote code execution (RCE) flaw to deliver spyware, in an email campaign weaponized by malicious Excel attachments and characterized by sophisticated evasion tactics.
Threat actors dangle lures relating to business activity in spam emails that deliver files that contain
CVE-2017-11882
, an RCE flaw that dates back to 2014 and can allow for system takeover, Zscaler revealed in a
blog post
published Dec. 19. The end goal of the attack is to load
Agent Tesla
, a remote access Trojan (RAT) and advanced keylogger first discovered in 2014, and exfiltrate credentials and other data from an infected system via a Telegram bot run by the attackers.
CVE-20170-11882 is a memory-corruption flaw found in the Equation Editor of Microsoft Office. An attacker who successfully exploits the flaw can run arbitrary code in the context of the current user and even take over the affected system if a user is logged on with administrator rights. Though the vulnerability has long been patched,
older versions
of
Microsoft Office
still in use may be vulnerable.
Despite being nearly a decade old, Agent Tesla remains
a common weapon
used by attackers and includes features such as clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different Web browsers.
The attack vector is unique in that it pairs a
longstanding vulnerability
with new complexity and evasion tactics that demonstrate adaption in attackers infection methods, thus making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape, Zscaler senior security researcher Kaivalya Khursale noted in the post.
In its initial infection vector, the campaign seems unexceptional, with threat actors using
socially engineered emails
with business-oriented lures in messages peppered with words such as orders and invoices. The messages add a sense of urgency by requesting an immediate response from recipients.
But once a user takes the bait, the attack method veers into the unconventional, the researchers found. Opening the
malicious Excel attachment
with a vulnerable version of the spreadsheet app initiates communication with a malicious destination that pushes additional files, the first of which is a heavily obfuscated VBS file that uses variable names 100 characters long. This adds a layer of complexity to the analysis and deobfuscation, Khursale wrote.
This file in turn starts the download of a malicious JPG file, after which the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL.
After the PowerShell loads, theres another novel tactic: It executes the RegAsm.exe file — the primary function of which is typically associated with registry read-write operations, Khursale noted. However, in the attack context, the files purpose is to carry out malicious activities under the guise of a genuine operation, he said. From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process.
Once deployed, the
spyware
RAT proceeds to steal data from a slew of browsers, mail clients, and FTP applications, sending it to a malicious destination controlled by threat actors. It also attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.
Specifically, Agent Tesla uses window hooking, a technique used to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actors function intercepts before the action occurs, Khursale said. The malware ultimately sends the exfiltrated data to a Telegram bot controlled by the threat actor.
Zscaler included a comprehensive list of indicators of compromise (IoCs) in the blog post — including a list of the Telegram URLs used for exfiltration; malicious URLS; various malicious Excel, VBS, JPG, and DLL files; and malicious executables — to help identify if a system has been compromised. The post also includes an extensive list of browsers and mail and FTP clients from which Agent Tesla attempts to steal credentials to help organizations remain vigilant.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Exploit 6-Year-Old Microsoft Office Bug to Spread Spyware