A recent phishing campaign has been detected, employing a new tactic to distribute a dangerous information-stealing malware known as Agent Tesla. According to Trustwave SpiderLabs, the campaign was first spotted on March 8, 2024, disguised as a bank payment notification email, urging recipients to open an attached archive file.
Within the archive file ("Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz"), a malicious loader lurks, initiating the process of deploying Agent Tesla onto the victim's system. Security researcher Bernard Bautista explained that the loader employs obfuscation techniques to avoid detection, alongside polymorphic behavior and complex decryption methods.
The loader, crafted in .NET, features two distinct variants, each utilizing different decryption routines to access its configuration and fetch the XOR-encoded Agent Tesla payload from a remote server. To further evade detection, the loader circumvents the Windows Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function, ensuring stealthy execution.
Once executed, Agent Tesla operates in memory, allowing threat actors to clandestinely exfiltrate sensitive data via SMTP, using a compromised email account associated with a legitimate security system supplier in Turkey ("merve@temikan[.]com[.]tr"). Trustwave noted that this method not only avoids detection but also adds a layer of anonymity to the attackers.
Meanwhile, another phishing campaign orchestrated by a cybercrime group known as TA544 has been uncovered by BlueVoyant. This campaign employs PDFs disguised as legal invoices to propagate WikiLoader (aka WailingCrab) and establish connections with a command-and-control (C2) server primarily consisting of compromised WordPress sites.
Additionally, the surge in the use of a phishing kit called Tycoon has been observed by Sekoia, targeting Microsoft 365 users with fake login pages to steal credentials, session cookies, and two-factor authentication (2FA) codes. Tycoon incorporates extensive traffic filtering methods and shares similarities with the Dadsec OTT phishing kit, indicating possible source code reuse.
Overall, these findings underscore the evolving tactics employed by cybercriminals to orchestrate phishing campaigns and distribute malware, emphasizing the importance of robust cybersecurity measures to mitigate such threats.
via HackerNews
0 comments:
Post a Comment