Headline
New Phishing Campaign Uses Stealthy JPGs to Drop Agent Tesla
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect yourself from this and other malware attacks.
FortiGuard Labs has discovered a phishing campaign targeting Spanish-speaking individuals to spread a new Agent Tesla malware variant. The campaign uses various techniques to target Windows-based systems and deliver the core module, including MS Office vulnerabilities, JavaScript code, PowerShell code, and fileless modules, wrote FortiGuard Labs’ researcher Xiapeng Zhang in their report.
****Here is how the attack works:****
A Spanish-language phishing email posing as a SWIFT transfer notification from a large financial institution is sent to MS Windows users. The email, translated into English, appears to be a message with a disguised Excel attachment in OLE format with crafted embedded data that exploits the CVE-2017-0199 vulnerability.
The attachment contains an embedded OLE hyperlink, opened automatically once the victim starts the Excel file. Later, it automatically downloads an RTF document, which is opened by the Word program.
The phishing email and the embedded OLE hyperlink to an online RTF document (Credit: FortiGuard Labs)
Another vulnerability exploited in this attack is CVE-2017-11882, a Remote Code Execution vulnerability in Microsoft Office’s Equation Editor component, allowing attackers to execute arbitrary code on a victim’s computer by overriding a return address in the stack.
This Agent Tesla variant is a powerful, versatile 32-bit, .NET-based Remote Access Trojan (RAT) granting attackers complete control over infected devices. Once installed, it can steal sensitive information from 80 software applications, focusing on login credentials, banking details, and email contacts.
Additionally, it checks if the email client is Thunderbird, cookies from a wide range of web browsers such as Chromium-based and Mozilla-based browsers, system clipboard data, computer name, OS/CPU/RAM information, and saved credentials. It can also spy on you by capturing keystrokes and screenshots. The malware is assigned a critical severity level.
As per the report published by FortiGuard Labs, the Agent Tesla core module is a fileless module downloaded by a malicious JavaScript base64-encoded Powershell code as a normal JPG file from this URL:
uploaddeimagens[.]com[.]br/images/004/773/812/original/js.jpg?1713882778.
This module is never saved in the local folder, making it difficult for researchers to detect. Surprisingly, this variant uses FTP protocol for data submission, unlike past variants that used HTTP POST and SMTP protocols.
Moreover, it “detects whether it’s running in an analysis environment, like sandboxes, virtual machines, etc., or where there is AV software running, like Avast, Comodo, etc.,” Zhang noted.
To stay protected, be cautious of phishing emails, update the operating system regularly, use strong passwords, and invest in reputable anti-malware solutions.
- Agent Tesla, Taskun Malware Targeting US Education Orgs
- Agent Tesla variant steals passwords from, browsers, VPNs
- Konni RAT Exploiting Word Docs to Steal Data from Windows
- Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
- Hackers Use Word documents to drop NetSupport Manager RAT
Related news
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT. The domains – www.warzone[.]ws and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ said. Alongside the takedown, the
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's
By Waqas KEY FINDINGS Organizations should take steps to protect themselves from this campaign by keeping software up to date,… This is a post from HackRead.com Read the original post: Rust Implant Used in New Malware Campaign Against Azerbaijan
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains
By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks. Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack met...
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)