Researchers have observed a campaign targeting small/medium sectors using COVID-19 themed malicious documents. The documents contain two OLE objects which are a VBS script and code that exploits the Equation Editor vulnerability, CVE-2017-11882 . Should exploitation succeed, two files, an injector DLL and the Agent Tesla payload are downloaded from a remote URL and installed on the victim system. The Agent Tesla payload is injected into the legitimate Windows executable file, RegAsm.exe. Agent Tesla is a well known keylogger and infostealer. Researchers attributes the campaign to the Gorgon APT group. Gorgon are also known as Subaat.
face mask order[.]doc