Contact Contact Us


This week’s reports on the use of Drupalgeddon 2.0 vulnerabilities to deliver Shellbot malware and the modification of a well-known exploit chain to install Agent Tesla and other information-stealing malware without triggering anti-virus detection have come to our attention. This is because both campaigns once again reflect the allure of known vulnerabilities to threat actors and their creativity to make small changes to an exploit chain to maximise attack surface. The use of known vulnerabilities cost less money and time for threat actors as compared to the use of zero-days, and it is still an attractive tool because many users tend to delay patching known vulnerabilities.

Since mid-August, financially motivated threat actors have been scanning Drupal websites that are vulnerable to Drupalgeddon 2.0 (CVE-2018-7600 and CVE-2018-7602) to install Shellbot malware. They scan for the /user/register and /user/password pages in the installation phase and attempt to brute-force into the websites using the discovered information. Once they succeed, they install Shellbot, which uses an IRC channel as its command and control server and performs various functions such as DDoS attacks and searching for SQL injection vulnerabilities.

Meanwhile, threat actors modified an exploit chain previously used to deliver Formbook malware to now deliver Agent Tesla and other information-stealing malware without triggering anti-virus detection. The latest campaign to distribute Agent Tesla exploits a Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to download and open an RTF file from a malicious Microsoft Office Word document. Since most RTF parsers typically ignore what they do not know, highly obfuscated RTF files are able to hide exploit codes.

We advise our customers to install patches as soon as they are available to avoid falling prey to attacks that exploit known vulnerabilities. Our customers are also recommended to stay abreast of the latest cyber threats and adopt good security practices to protect against potential attacks.

[1] Threat Actors Prey on Drupalgeddon Vulnerability to Mass-Compromise Websites and Underlying Servers
[2] Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883