High
Researchers have observed a campaign targeting small/medium sectors using COVID-19 themed malicious documents. The documents contain two OLE objects which are a VBS script and code that exploits the Equation Editor vulnerability, CVE-2017-11882 . Should exploitation succeed, two files, an injector DLL and the Agent Tesla payload are downloaded from a remote URL and installed on the victim system. The Agent Tesla payload is injected into the legitimate Windows executable file, RegAsm.exe. Agent Tesla is a well known keylogger and infostealer. Researchers attributes the campaign to the Gorgon APT group. Gorgon are also known as Subaat.
face mask order[.]doc
4FC5BA9426E9191AAB4E694E7E703E13
2022D9CC42ED2838DAA442561107C29297BDDB88B36222345C10B39164E66819
B5EBAF2F5AF220FE1B1DE5433C2E39FF16B0C0B4
CVE-2017-1182
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882