New Malware Loader Delivers Agent Tesla Remote Access Trojan Via Phishing

Agent Tesla Delivered Via PhishingA new malware loader is delivering the Agent Tesla remote access Trojan (RAT), according to researchers at Trustwave SpiderLabs. The malware is distributed by phishing emails with malicious attachments.

“The threat begins with a fake bank payment email designed to deceive recipients,” the researchers write. “Concealed within this email is an attachment named ‘Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz’ masquerading as a legitimate payment receipt from a bank.

"This filename implies a harmless document, but it actually contains a malicious loader disguised within the tar.gz archive. This tactic is commonly employed in phishing attacks to trick recipients into unwittingly activating the malware and initiating nefarious activities.”

If a user falls for the phishing attack, the malware will be downloaded and installed.

“The infection chain begins with a phishing email posing as a bank payment notification in which a disguised loader was attached as an archive file,” the researchers write.

“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods. The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies for further obfuscate traffic. The payload itself, the Agent Tesla infostealer, is then executed entirely in memory, capturing and exfiltrating data via SMTP using compromised email accounts for discreet communication.”

Using compromised email accounts to exfiltrate the stolen data helps the malware avoid detection.

“Threat actors often hijack compromised email accounts to carry out the exfiltration process,” the researchers explain. “This method has several strategic benefits. First, it exploits the trust people have in regular email communication, making it less likely to raise suspicion. Second, it provides anonymity and makes it harder to trace the attack back to the threat actors. Finally, using existing email systems means they don't have to set up new communication channels, saving time and resources.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Trustwave has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews