A hacker wearing gloves and a mask is stealing a credit card by breaking into a laptop.

New Phishing Campaign Spreading Agent Tesla Keylogger

A new phishing campaign has come to light, showing advanced cyber techniques. This campaign uses a novel loader malware to distribute the notorious information stealer and keylogger known as Agent Tesla.

Trustwave SpiderLabs discovered a phishing scheme on March 8, 2024 that tricked users into opening malicious attachments. These emails appear to be bank payment notifications, but they contain archive files (.zip,.rar) that can be used to steal personal information.

The email looks like a notification of a bank payment. It has an attachment called “Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz,” which means “proof of payment”. Opening this file installs the Agent Tesla infostealer.

Threat actors often use the technique of embedding malware into files that appear to be harmless. Its goal is to mislead vulnerable individuals into starting the infection process.

Trustwave, a cybersecurity organisation, identified two different versions of this loader. Each variation has a unique decryption technique to access its settings.

A phishing email that seems to be a bank payment notice and includes an encoded loader as an archive file attachment is the first step in the infection process. This loader uses polymorphic behaviour, which combines complex decryption algorithms with obfuscation strategies to bypass detection.

Transfer of Loader via Phishing Email Starts Agent Tesla Infostealer
Transfer of Loader via Phishing Email Starts Agent Tesla Infostealer (Trustwave)

The loader demonstrates its ability to bypass security measures. It retrieves its payload via specific URLs and user agents, utilising proxies to conceal traffic. Once executed, the payload—the Agent Tesla infostealer—operates silently in memory. It leverages compromised email accounts to discreetly collect and transmit data over SMTP.

The loader’s architecture aims to avoid detection by avoiding the Windows Antimalware Scan Interface (AMSI). AMSI enables security software to scan files, memory, and other data for possible threats.

According to Trustwave, this method not only avoids generating warning lights, but it also adds an extra layer of anonymity, making it more difficult to track the attack back to its source. It also removes the need for dedicated exfiltration pathways, which saves time and effort.

Uncovering the Multi-Level Cyber Phishing Campaign’s Techniques: From Tycoon Kits to Remcos RAT

The disclosure comes at the same time as BlueVoyant uncovered a phishing campaign run by cybercriminal organisation TA544. To spread the WikiLoader and create links with command-and-control servers, they are utilising PDFs that seem like official bills. WordPress websites that have been hacked are the primary host for these servers.

In November 2023, TA544 exploited a Windows security bypass vulnerability known as CVE-2023-36025. Attackers deployed the Remcos RAT using a separate loader type known as IDAT Loader by taking advantage of this vulnerability. This enabled them to take control of the compromised systems.

The results align with a significant rise in the use of a phishing kit called Tycoon. With over 1,100 identified domain names between late October 2023 and late February 2024, Tycoon has become one of the most well-known phishing kits in recent months, claims Sekoia.

The phishing kit stands out for its advanced traffic filtering techniques designed to prevent bot activity and analysis. It invites site visitors to complete a Cloudflare Turnstile challenge before sending them to a page where their credentials are captured.

Sekoia said that in the most recent release of the phishing kit features enhanced stealth characteristics. These enhancements could make Tycoon 2FA phishing sites and infrastructure more challenging to detect by security tools. Additionally, its affordability and user-friendly interface enhance its appeal to threat actors.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks. 

Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.

Recent posts