Beware: the bank payment message could be a harmful new malware
Hackers are sending people a never-before-seen charger designed to put the Agent Tesla infostealer on their devices, experts warn.
Researchers at Trustwave SpiderLabs first observed this campaign in early March 2023, with hackers sending phishing emails seemingly posing as a Polish bank.
The email message resembles a bank payment notification and comes with an archive file attachment, called Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz, which roughly translates to “payment receipt” – but opening the file triggers the installation of the Agent Tesla infostealer.
Keylogger, screenshot grabber, info stealer
“This loader then used obfuscation to evade detection and exploited polymorphic behavior with complex decoding methods,” researchers said. “The loader also exhibited the ability to bypass anti-virus protection and retrieved its payload using specific URLs and user agents using proxies to further obfuscate the traffic.”
The loader can also bypass the Windows Antimalware Scan Interface (AMSI), it said, by “patching the AmsiScanBuffer feature to bypass malware scanning for contents in memory.”
Finally, once Agent Tesla is decrypted and executed in memory, the attackers can retrieve sensitive data via SMTP, using an apparently legitimate but compromised email account from a security systems vendor from Turkey.
Agent Tesla is a remote access Trojan (RAT) written in .NET. Various threat actor groups have been actively using the Microsoft Windows operating system to attack victims for a decade now. Security experts consider it a versatile malware with numerous functions, from stealing information to logging keystrokes and taking screenshots.
Since its release in 2014, Agent Tesla has been updated regularly and is now offered as a service, with multiple subscription packages.
The last time we heard of Agent Tesla was last December, when Zscaler ThreatLabs observed hackers taking advantage of an old Office flaw to deploy the infostealer.
Through The hacker news