Beware — that bank payment notice could actually be a damaging new malware

Hackers are mailing people a never-seen-before loader, designed to drop the Agent Tesla infostealer on their devices, experts have warned.

Researchers from Trustwave SpiderLabs first observed this campaign in early March 2023, deteching hackers are sending out phishing emails apparently impersonating a Polish bank. 

The email message is seemingly a bank payment notification, and it comes with an archive file attachment, called Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz, which roughly translates to “proof of payment” - but opening the file triggers the installation of the Agent Tesla infostealer. 

Keylogger, screenshot grabber, infostealer

"This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods," researchers said. "The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic."

The loader can also work around the Windows Antimalware Scan Interface (AMSI), it was said, by "patching the AmsiScanBuffer function to evade malware scanning of in-memory content.”

Finally, once Agent Tesla is decoded and executed in memory, the attackers can pull sensitive data via SMTP, using what seems to be a legitimate, but compromised email account belonging to a security system supplier from Turkey.

Agent Tesla is a remote access trojan (RAT) written in .NET. Different threat actor groups have been actively using it for a decade now, to target victims using the Microsoft Windows operating system. Security experts deem it a versatile malware with numerous features, from stealing information, to logging keystrokes, to grabbing screenshots. 

Since its release in 2014, Agent Tesla has been frequently updated, and is now being offered as a service, with multiple subscription packages. 

Last time we heard of Agent Tesla was in December last year, when Zscaler ThreatLabs observed hackers abusing an ancient Office flaw to deploy the infostealer.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS