A sophisticated phishing campaign utilizing a new type of loader malware to distribute a keylogger and information thief named Agent Tesla has been detected. Trustwave SpiderLabs uncovered this operation, highlighting a phishing email on March 8, 2024, that poses as a bank payment alert to lure victims into opening a malicious file attachment.
The file, named “[XXXX] – payment proof_pdf.tar.gz”, contains a loader that, once activated, initiates the installation of Agent Tesla onto the victim’s device. The compressed and obfuscated file can bypass the antispam filter. This loader employs advanced obfuscation and decryption techniques to evade detection, capable of circumventing antivirus solutions by utilizing specific URLs, user agents, and proxies to mask its malicious activities.
The loader, developed in .NET, exhibits two variants, each using a unique decryption method to access its configuration and download the XOR-encoded Agent Tesla payload from a remote server. To avoid detection by security software, it also sidesteps the Windows Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function, preventing malware scanning of in-memory content.
The final step involves deploying Agent Tesla directly into memory, enabling the attackers to secretly steal sensitive information. This is done through SMTP using an email account from a legitimate security system provider in Turkey, providing the attackers with a layer of anonymity and reducing the need for dedicated exfiltration methods.
This method signifies a significant advancement in Agent Tesla’s deployment tactics, showcasing an evolution towards more stealthy and efficient execution methods that leave minimal traces on the infected systems.
Additionally, has been identified another phishing operation by a group named TA544, using PDFs disguised as legal invoices to spread WikiLoader and establish command-and-control connections through compromised WordPress sites. TA544 has also exploited a Windows security flaw (CVE-2023-36025) to distribute Remcos RAT via another loader, enabling full control over compromised systems.
Recent findings also point to an increase in phishing attacks using the Tycoon kit, targeting Microsoft 365 users with fake login pages. This kit, which emerged in August 2023, features sophisticated traffic filtering to evade detection and has seen over 1,100 domain names employing it since late October 2023. Tycoon’s design shares similarities with the Dadsec OTT phishing kit, suggesting possible access to and modification of the latter’s source code to enhance its phishing capabilities.