A new malware loader is delivering the Agent Tesla remote access Trojan (RAT), according to researchers at Trustwave SpiderLabs. The malware is distributed by phishing emails with malicious attachments.
“The threat begins with a fake bank payment email designed to deceive recipients,” the researchers write. “Concealed within this email is an attachment named ‘Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz’ masquerading as a legitimate payment receipt from a bank.
"This filename implies a harmless document, but it actually contains a malicious loader disguised within the tar.gz archive. This tactic is commonly employed in phishing attacks to trick recipients into unwittingly activating the malware and initiating nefarious activities.”
If a user falls for the phishing attack, the malware will be downloaded and installed.
“The infection chain begins with a phishing email posing as a bank payment notification in which a disguised loader was attached as an archive file,” the researchers write.
“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods. The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies for further obfuscate traffic. The payload itself, the Agent Tesla infostealer, is then executed entirely in memory, capturing and exfiltrating data via SMTP using compromised email accounts for discreet communication.”
Using compromised email accounts to exfiltrate the stolen data helps the malware avoid detection.
“Threat actors often hijack compromised email accounts to carry out the exfiltration process,” the researchers explain. “This method has several strategic benefits. First, it exploits the trust people have in regular email communication, making it less likely to raise suspicion. Second, it provides anonymity and makes it harder to trace the attack back to the threat actors. Finally, using existing email systems means they don't have to set up new communication channels, saving time and resources.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Trustwave has the story.
