ZScaler reports a campaign exploiting an old Microsoft Office memory corruption vulnerability (CVE-2017-11882, CVSS 7.8) in order to distribute the information stealer Agent Tesla.
The campaign initiates with a phishing email delivering Microsoft Excel attachments whose themes are consistent with invoices or order notices.
Interaction with the attachment is the only user interaction needed to trigger the vulnerability. The memory corruption enables the actors to force download additional attachments without further user interaction. Such artifacts include:
A malicious image file weaponized with a dynamic link library (DLL) embedded with steganography;
A visual basic script which, as the image downloads, executes Powershell to extract the malicious base64-encoded DLL from the image;
The DLL downloads the Agent Tesla payload and executes it via RegAsm.exe as an evasion mechanism.