The trap comes in the form of a bank payment notification message encouraging the user to open an attachment.
A new phishing campaign has been discovered. This uses new malware to spread an information stealer and keylogger called Agent Tesla.
Trustwave SpiderLabs researchers said they spotted a phishing email on March 8, 2024. The message appears as a bank payment notification that encourages the user to open an attachment containing the particularly virulent malware, since the latter manages to evade all current means of control, such as Windows AMSI.
Agent Tesla evolves to become virtually undetectable
Victims receive a fake bank payment email designed to trick them. This email contains an attachment named “ Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz ”, which pretends to be a legitimate payment receipt issued by a bank. This file name suggests that it is a harmless document, but it actually contains a malicious loader hidden in the tar.gz archive. This tactic is commonly used in phishing attacks to trick recipients into unintentionally activating the malware and launching fraudulent activities.
This malware activates Agent Tesla on the compromised device. It uses techniques to evade detection, avoid antivirus defenses, and retrieve payload using specific URLs. It is indeed designed to bypass the Windows Antimalware Scanning Interface (AMSI). It decodes and executes Agent Tesla in memory, allowing cybercriminals to discreetly exfiltrate sensitive data using SMTP without triggering alarms. This charge marks an evolution in Agent Tesla’s attack tactics.
“ [Le chargeur] uses methods such as patching to bypass Antimalware Scan Interface (AMSI) detection and dynamically load payloads, ensuring stealthy execution and minimizing disk traces said security researcher Bernard Bautista. It specifies a notable evolution in the deployment tactics of Agent Tesla.
The alarming popularity of phishing kits
This discovery follows that of BlueVoyant researchers, who identified new phishing activity carried out by the TA544 cybercrime group. This group uses PDFs disguised as invoices to spread the WikiLoader malware and connect to control servers that primarily target hacked WordPress sites, like those infected by a LiteSpeed plugin flaw in early March 2024. TA544 also exploited a Windows security vulnerability (CVE-2023-36025) to distribute Remcos RAT, thereby taking control of infected systems.
Additionally, the use of the Tycoon phishing kit increased, with more than 1,100 domain names detected between the end of October 2023 and the end of February 2024. Tycoon allows cybercriminals to target Microsoft 365 users with fake login pages to capture their credentials and 2FA codes. It incorporates traffic filtering methods to thwart bots and analytics attempts.
Tycoon shares similarities with the Dadsec OTT phishing kit, suggesting that the developers modified the latter’s source code. They have thus improved the stealth capabilities of Tycoon, potentially reducing the detection rate by security products. Its ease of use and low price make it popular among malicious actors.
Sources: The Hacker News, BlueVoyant, Trustwave SpiderLabs
3