Skip to content Skip to footer

Phishing Campaign Deploys Agent Tesla Keylogger via Novel Loader Malware

Recently, a new campaign has been discovered that employs a novel loader to deliver a dangerous information stealer and keylogger known as “Agent Tesla.” Trustwave SpiderLabs identified a email containing this attack chain on March 8, 2024. The message pretended to be a bank payment notification, urging the user to open an archive attachment.

The archive, named “Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz,” concealed a malicious loader that, once activated, deployed Agent Tesla on the compromised host. The loader used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods.

It also exhibited the capability to bypass antivirus defenses and retrieve its payload using specific URLs and user agents leveraging proxies to obfuscate traffic further. Threat actors frequently employ this tactic to trick unsuspecting victims into triggering the infection sequence.

The loader used in the attack is written in .NET. Trustwave discovered two distinct variants that each use a different decryption routine to access its configuration and retrieve the XOR-encoded Agent Tesla payload from a remote server. To evade detection, the loader is also designed to bypass the Antimalware Scan Interface (AMSI), which offers security software the ability to scan files, memory, and other data for threats.

It achieves this by “patching the AmsiScanBuffer function to evade malware scanning of in-memory content.” The last phase involves decoding and executing Agent Tesla in memory, allowing the threat actors to stealthily exfiltrate sensitive data via SMTP through a compromised email account associated with a legitimate security system supplier in Turkey (“merve@temikan[.]com[.]tr”).

The approach not only does not raise any red flags but also affords a layer of anonymity that makes it harder to trace the attack back to the adversary. It saves the effort of having to set up dedicated exfiltration channels. “[The loader] employs methods like patching to bypass Antimalware Scan Interface (AMSI) detection and dynamically load payloads, ensuring stealthy execution, and minimizing traces on disk,” said security researcher Bernard Bautista. “This loader marks a notable evolution in the deployment tactics of Agent Tesla.”

BlueVoyant recently uncovered another activity conducted by a cybercrime group called TA544, which leverages PDFs disguised as legal invoices to propagate WikiLoader (aka WailingCrab) and establish connections with a command-and-control (C2) server that almost exclusively encompasses hacked sites. It's worth noting that TA544 also weaponized a security bypass flaw tracked as -2023-36025 in November 2023 to distribute Remcos RAT via a different loader family dubbed IDAT Loader, allowing it to seize control of infected systems.

The findings follow a surge in the use of a kit called Tycoon, which has been responsible for a significant increase in attacks. These attacks use advanced techniques that make them difficult to detect, such as social engineering tactics and fake login pages. It is essential to remain vigilant and adopt best practices to protect oneself from such attacks. Some of these include not clicking on suspicious links or downloading attachments from unknown sources, keeping software and operating systems up-to-date, and using strong passwords.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Never send a boy to do a woman's job.Kate

Deitasoft © 2024. All Rights Reserved.