Cve-2017-0199 xls → hta → vbs → steganography → dbatloader/guiloader → agenttesla

Intel Name: Cve-2017-0199 xls → hta → vbs → steganography → dbatloader/guiloader → agenttesla

Date of Scan: January 10, 2025

Impact: High

Summary:
For years, cybercriminals have been creating malicious Microsoft Office documents to exploit CVE-2017-0199. While this vulnerability primarily affects outdated systems, new exploited samples continue to emerge almost daily. One particular campaign, active since at least 2023, frequently distributes DBatLoader/GuiLoader. This loader, a .NET DLL, is delivered through steganography, embedded as reversed Base64 text within an image.In recent months, DBatLoader/GuiLoader from this campaign has been used to deploy malware like AgentTesla-style variants, LokiBot, or Remcos RAT.

More Details