Security experts have issued a warning about a new phishing campaign targeting individuals with a previously unseen loader designed to deploy the Agent Tesla infostealer on their devices.
The campaign, first detected by researchers from Trustwave SpiderLabs in early March 2023, involves hackers sending out phishing emails posing as a Polish bank. These emails contain a seemingly innocuous bank payment notification, accompanied by an archive file attachment named “Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz,” translating to “proof of payment.” However, opening the file triggers the installation of the Agent Tesla infostealer.
According to the researchers, the loader employed obfuscation techniques to evade detection and utilized polymorphic behavior with complex decryption methods. It also demonstrated the ability to bypass antivirus defenses and retrieve its payload using specific URLs and user agents, leveraging proxies to further obscure traffic.
Furthermore, the loader was found to circumvent the Windows Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function, thus evading malware scanning of in-memory content.
Once the Agent Tesla infostealer is decoded and executed in memory, attackers can exfiltrate sensitive data via SMTP, utilizing what appears to be a legitimate but compromised email account associated with a security system supplier from Turkey.
Agent Tesla, a remote access trojan (RAT) written in .NET, has been utilized by various threat actor groups for over a decade to target victims using the Microsoft Windows operating system. Security experts describe it as a versatile malware capable of stealing information, logging keystrokes, and capturing screenshots.
