A recently identified phishing campaign is employing a sophisticated new loader malware, which serves to deliver the information-stealer and keylogger known as Agent Tesla. Trustwave SpiderLabs reported that on March 8, 2024, they encountered a phishing email featuring this malware, disguised as a bank payment notification that entices recipients to open an attached archive file.
The file, labeled “Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz,” conceals a malicious loader that executes the deployment of Agent Tesla on the infected host. Security researcher Bernard Bautista highlighted in a detailed analysis that this loader employs obfuscation techniques to avoid detection and utilizes polymorphic behavior alongside advanced decryption strategies.
The loader is noteworthy for its ability to circumvent antivirus measures and retrieve its payload through specific URLs while utilizing user agent strings and proxies to further obscure its traffic. This method of embedding malware within seemingly harmless files has become a common strategy among threat actors, effectively luring victims into activating the infection process.
This loader is developed in .NET, with Trustwave discovering two distinct variants, each utilizing different decryption techniques to access its configuration and obtain the XOR-encoded Agent Tesla payload from a remote server. To further enhance evasion of security measures, the loader is engineered to bypass the Windows Antimalware Scan Interface (AMSI), a framework that enables security solutions to detect threats across files and memory. Bautista explained that it circumvents detection by “patching the AmsiScanBuffer function, allowing it to avoid scanning of in-memory content.”
The final stage of this attack involves decoding and executing Agent Tesla in memory. This enables adversaries to stealthily extract sensitive information via SMTP through a compromised email account linked to a legitimate security system provider in Turkey. Trustwave noted that this approach not only avoids detection but also provides anonymity, complicating efforts to trace the origin of the attack and reducing the necessity for establishing dedicated exfiltration channels.
According to Bautista, the loader’s techniques—including patching to evade AMSI detection and dynamically loading its payloads—illustrate a significant evolution in Agent Tesla’s deployment methods. This evolving threat landscape prompts a need for vigilance among businesses, emphasizing the critical importance of robust security frameworks and employee training.
In related news, BlueVoyant has uncovered another phishing campaign attributed to the cybercrime group identified as TA544, which is employing encrypted PDFs disguised as legal invoices to spread the WikiLoader (also known as WailingCrab) and establish connections with command-and-control servers primarily made up of compromised WordPress sites.
Of note, TA544 also exploited a Windows security bypass vulnerability tracked as CVE-2023-36025 in November 2023 to distribute the Remcos RAT through a different loader type known as IDAT Loader. This led to the infiltration of additional systems.
The findings coincide with a rise in the use of a phishing kit named Tycoon, reported by Sekoia as one of the most prevalent adversary-in-the-middle phishing kits in recent months, with over 1,100 domain names recorded from late October 2023 to late February 2024. Tycoon targets Microsoft 365 users with counterfeit login pages designed to capture credentials and two-factor authentication codes, remaining operational since at least August 2023.
The phishing kit is noteworthy for its effective traffic-filtering mechanisms designed to thwart bot activities and analytical efforts, requiring users to pass a Cloudflare Turnstile challenge before being redirected to credential harvesting pages. Tycoon shares similar operational aspects with the Dadsec OTT phishing kit, especially since the source code for the latter was leaked in October 2023.
Sekoia indicates that enhancements in stealth capabilities in Tycoon’s latest version could help reduce detection rates by security products and enhance its effectiveness among malicious actors. The combination of user-friendliness and cost-effectiveness enhances its allure in the ever-evolving landscape of cyber threats.
