A brand new phishing marketing campaign has been noticed leveraging a novel loader malware to ship an data stealer and keylogger referred to as Agent Tesla.
Trustwave SpiderLabs stated it recognized a phishing e-mail bearing this assault chain on March 8, 2024. The message masquerades as a financial institution fee notification, urging the person to open an archive file attachment.
The archive (“Financial institution Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz”) conceals a malicious loader that prompts the process to deploy Agent Tesla on the compromised host.
“This loader then used obfuscation to evade detection and leveraged polymorphic conduct with advanced decryption strategies,” safety researcher Bernard Bautista stated in a Tuesday evaluation.
“The loader additionally exhibited the potential to bypass antivirus defenses and retrieved its payload utilizing particular URLs and person brokers leveraging proxies to additional obfuscate visitors.”
The tactic of embedding malware inside seemingly benign recordsdata is a tactic that has been repeatedly employed by menace actors to trick unsuspecting victims into triggering the an infection sequence.
The loader used within the assault is written in .NET, with Trustwave discovering two distinct variants that every make use of a distinct decryption routine to entry its configuration and finally retrieve the XOR-encoded Agent Tesla payload from a distant server.
In an effort to evade detection, the loader can also be designed to bypass the Home windows Antimalware Scan Interface (AMSI), which presents the flexibility for safety software program to scan recordsdata, reminiscence, and different information for threats.
It achieves this by “patching the AmsiScanBuffer operate to evade malware scanning of in-memory content material,” Bautista defined.
The final part entails decoding and executing Agent Tesla in reminiscence, permitting the menace actors to stealthily exfiltrate delicate information by way of SMTP utilizing a compromised e-mail account related to a respectable safety system provider in Turkey (“merve@temikan[.]com[.]tr”).
The strategy, Trustwave stated, not solely doesn’t increase any crimson flags, but additionally affords a layer of anonymity that makes it more durable to hint the assault again to the adversary, to not point out save the trouble of getting to arrange devoted exfiltration channels.
“[The loader] employs strategies like patching to bypass Antimalware Scan Interface (AMSI) detection and dynamically load payloads, making certain stealthy execution and minimizing traces on disk,” Bautista stated. “This loader marks a notable evolution within the deployment techniques of Agent Tesla.”
The disclosure comes as BlueVoyant uncovered one other phishing exercise carried out by a cybercrime group referred to as TA544 that leverages PDFs dressed up as authorized invoices to propagate WikiLoader (aka WailingCrab) and set up connections with a command-and-control (C2) server that just about completely encompasses hacked WordPress websites.
It is value noting that TA544 additionally weaponized a Home windows safety bypass flaw tracked as CVE-2023-36025 in November 2023 to distribute Remcos RAT by way of a distinct loader household dubbed IDAT Loader, permitting it to grab management of contaminated methods.
The findings additionally comply with a surge in using a phishing equipment referred to as Tycoon, which Sekoia stated has “turn into probably the most widespread [adversary-in-the-middle] phishing kits over the previous few months, with greater than 1,100 domains detected between late October 2023 and late February 2024.”
Tycoon, publicly documented by Trustwave final month, permits cyber criminals to focus on customers of Microsoft 365 with phony login pages to seize their credentials, session cookies, and two-factor authentication (2FA) codes. It is identified to be lively since a minimum of August 2023, with the service provided by way of personal Telegram channels.
The phishing equipment is notable for incorporating intensive visitors filtering strategies to thwart bot exercise and evaluation makes an attempt, requiring web site guests to finish a Cloudflare Turnstile problem earlier than redirecting customers to a credential harvesting web page.
Tycoon additionally shares operational and design-level similarities with the Dadsec OTT phishing equipment, elevating the chance that the builders had entry to and tweaked the supply code of the latter to swimsuit their wants. That is supported by the truth that Dadsec OTT had its supply code leaked in October 2023.
“The developer enhanced stealth capabilities in the latest model of the phishing equipment,” Sekoia stated. “The latest updates may cut back the detection charge by safety merchandise of the Tycoon 2FA phishing pages and the infrastructure. Moreover, its ease of use and its comparatively low value make it fairly widespread amongst menace actors.”
