A recent phishing campaign has surfaced, deploying a novel loader malware to distribute an information stealer and keylogger known as Agent Tesla, according to Trustwave SpiderLabs.
The attack was first detected on March 8, with phishing emails posing as bank payment notifications prompting recipients to open a malicious archive file attachment.
The next time you receive a bank payment notice, scrutinize it well and verify its legitimacy. Your precious files might be in danger in case it have a malware loader.
Researchers Unveiled Ingenious Tactics Behind This Keylogger
The deceptive archive file, titled "Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz," harbors the malicious loader, which initiates the deployment process for Agent Tesla upon activation. Notably, the loader demonstrates the capability to circumvent antivirus defenses, retrieving its payload via specific URLs and user agents that utilize proxies to obfuscate traffic.
"This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods," security researcher Bernard Bautista said in a Tuesday analysis.
Related Article : Hackers Exploit Sneaky Keylogger Vulnerability on iOS to Spy Through Your Keyboard
Sophisticated Loader Operation
Developed in .NET, the loader exhibits two distinct variants, each employing different decryption routines to access configuration data and fetch the XOR-encoded Agent Tesla payload from a remote server. Additionally, to evade detection, the loader evades the Windows Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function, thereby avoiding malware scanning of in-memory content.
Execution and Data Exfiltration
Upon successful decoding, Agent Tesla is executed in memory, enabling threat actors to covertly exfiltrate sensitive data via SMTP using compromised email accounts associated with legitimate security system suppliers.
According to The Hacker News, the approach ensures stealthy execution while enhancing anonymity, making it challenging to trace the attack back to the perpetrators.
When One Phishing Campaign is Not Enough
The disclosure coincides with BlueVoyant's discovery of another phishing campaign orchestrated by cybercriminal group TA544, utilizing PDFs masquerading as legal invoices to disseminate WikiLoader and establish connections with command-and-control servers predominantly hosted on compromised WordPress sites.
Furthermore, the surge in phishing kit usage, notably Tycoon, underscores the escalating threat landscape. Tycoon, a popular adversary-in-the-middle phishing kit, targets Microsoft 365 users with counterfeit login pages to harvest credentials and two-factor authentication codes.
With extensive traffic filtering mechanisms and enhanced stealth capabilities, Tycoon poses a significant risk to cybersecurity.
In another cybersecurity report by Tech Times, Finland verified the origin of the group behind the attack on March 21.
According to the Finnish police, the hackers are backed by China. It's also under the radar of the two superpowers: the United States and the United Kingdom.
The authorities said that as of now, the investigation is underway. They aimed to identify the involvement of APT31 in other cyberattacks. Right now, one suspect has already been identified.
Read Also : Hackers Target Gmail, Microsoft Accounts by Bypassing 2FA Protection in Phishing Platforms