Phishing Campaign Unveils Novel Loader Malware, Agent Tesla
A new phishing campaign has been identified, deploying an innovative loader malware to distribute Agent Tesla, an information stealer and keylogger.
The attack, discovered on March 8, sends phishing emails posing as bank payment notifications, urging recipients to open a malicious archive file attachment named “Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz.” This deceptive file contains the loader, which activates the deployment process for Agent Tesla. Notably, the loader can bypass antivirus defenses by retrieving its payload through specific URLs and user agents that use proxies to obfuscate traffic.
It exhibits polymorphic behavior with complex decryption methods and evades detection by patching the Windows Antimalware Scan Interface (AMSI). Agent Tesla, executed in memory, enables threat actors to covertly exfiltrate data via SMTP using compromised email accounts. Concurrently, another phishing campaign by cybercriminal group TA544 was discovered, distributing WikiLoader via PDFs masquerading as legal invoices.
The surge in phishing kit usage, particularly Tycoon, targeting Microsoft 365 users, underscores the escalating threat landscape. Finland has identified China-backed hackers behind the attack, drawing attention from the US and UK authorities. Investigations are ongoing to determine APT31’s involvement in other cyberattacks, with one suspect already identified.
The emergence of sophisticated phishing tactics, exemplified by the deployment of Agent Tesla malware, underscores the escalating cyber threat landscape, warranting heightened vigilance and proactive cybersecurity measures.
