This post is authored by Paul Rascagneres with contributions from Alex McDonnell
Talos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.
Read More »
Tags:
Cisco Systems Inc. published this content on 23 March 2017 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 23 March 2017 15:54:14 UTC.
Original documenthttp://blogs.cisco.com/security/talos/how-malformed-rtf-defeats-security-engines
Public permalinkhttp://www.publicnow.com/view/DC32D1081049BFAD278DC2157E101E691A66EF94
Cisco Systems, Inc. is the world leader in designing, developing, and marketing Internet network equipment. Net sales break down by family of products and services as follows:
- network equipment (68.9%); switches and routers, technological software and systems (storage, Internet access, and security systems, wiring, gateways, connection interfaces and modules, etc.), etc.;
- services (24.3%): technical assistance, network design, execution, and integration services, etc.;
- security products (6.8%).
Net sales are distributed geographically as follows: Americas (58.7%), Europe/Middle East/Africa (26.6%) and Asia/Pacific (14.7%).
CISCO SYSTEMS, INC. 
