Rewterz Threat Advisory – CVE-2020-9712 – Adobe Acrobat and Adobe Reader code execution
August 12, 2020Rewterz Threat Advisory – CVE-2020-6284 – SAP Netweaver (Knowledge Management) Cross-Site Scripting (XSS) vulnerability
August 12, 2020Rewterz Threat Advisory – CVE-2020-9712 – Adobe Acrobat and Adobe Reader code execution
August 12, 2020Rewterz Threat Advisory – CVE-2020-6284 – SAP Netweaver (Knowledge Management) Cross-Site Scripting (XSS) vulnerability
August 12, 2020Severity
High
Analysis Summary
Researchers have observed a campaign targeting small/medium sectors using COVID-19 themed malicious documents. The documents contain two OLE objects which are a VBS script and code that exploits the Equation Editor vulnerability, CVE-2017-11882 . Should exploitation succeed, two files, an injector DLL and the Agent Tesla payload are downloaded from a remote URL and installed on the victim system. The Agent Tesla payload is injected into the legitimate Windows executable file, RegAsm.exe. Agent Tesla is a well known keylogger and infostealer. Researchers attributes the campaign to the Gorgon APT group. Gorgon are also known as Subaat.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
Filename
face mask order[.]doc
MD5
4FC5BA9426E9191AAB4E694E7E703E13
SHA-256
2022D9CC42ED2838DAA442561107C29297BDDB88B36222345C10B39164E66819
SHA1
B5EBAF2F5AF220FE1B1DE5433C2E39FF16B0C0B4
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about links/attachments sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
CVE-2017-1182
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882