A new phishing campaign has been observed using a new loader malware to deliver an information stealer and keylogger called Agent Tesla.
Trustwave SpiderLabs said it discovered a phishing email with this attack chain on March 8, 2024. The email is disguised as a bank payment notification and urges users to open archived file attachments.
The file (“Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz”) hides a malicious loader that launches a program that deploys Agent Tesla on the compromised host.
“The loader then uses obfuscation to evade detection and leverages complex decryption methods to exploit polymorphic behavior,” security researcher Bernard Bautista said in Tuesday’s analysis.
“The loader also demonstrated the ability to bypass antivirus defenses and retrieve its payload using a specific URL and user agent, leveraging proxies to further obfuscate traffic.”
The tactic of embedding malware in seemingly benign files is a tactic used repeatedly by threat actors to trick unsuspecting victims into triggering an infection sequence.
The loader used in the attack is written in .NET, and Trustwave discovered two different variants, each using a different decryption routine to access its configuration and ultimately retrieve the XOR-encoded Agent Tesla payload.
To evade detection, the loader is also designed to bypass the Windows Anti-Malware Scanning Interface (AMSI), which enables security software to scan files, memory and other data for threats.
Bautista explains that it achieves this by “patching the AmsiScanBuffer function to evade malware scanning of memory contents.”
The final stage involved decoding and executing Agent Tesla in memory, allowing the threat actor to covertly steal sensitive data via SMTP using a compromised email account (“merve@temikan”) associated with a legitimate Turkish security system vendor.[.]com[.]tr”).
Trustwave says this approach not only raises no red flags, but also provides a layer of anonymity that makes tracking attacks more difficult to trace back to an adversary, not to mention saving the effort of building a dedicated exfiltration channel.
“[The loader] “It uses methods such as patching to bypass Anti-Malware Scanning Interface (AMSI) detection and dynamically load the payload, ensuring stealth execution and minimizing traces on the disk,” Bautista said. “This loader marks a specific Significant evolution of SLA agent deployment tactics.”
This disclosure comes as BlueVoyant uncovers another phishing campaign conducted by a cybercriminal group known as TA544, which uses PDFs disguised as legitimate invoices to deliver WikiLoader (aka WailingCrab) and is associated with an almost entirely Hacked WordPress command and control (C2) servers create links to websites.
It is worth noting that TA544 also weaponized In November 2023, a Windows security bypass vulnerability tracked as CVE-2023-36025 distributed Remcos RAT through a different family of loaders called IDAT Loader, allowing it to seize control of infected systems.
The findings also showed a surge in the use of a phishing kit called Tycoon, which Sekoia said “has become one of the most widely used phishing kits.” [adversary-in-the-middle] Over the past few months, we have identified more than 1,100 domains detected between late October 2023 and late February 2024. “
Tycoon, which Trustwave publicly documented last month, allows cybercriminals to target Microsoft 365 users via fake login pages to capture their credentials, session cookies, and two-factor authentication (2FA) codes. It is understood that the service has been active since at least August 2023 and is provided through a private Telegram channel.
The phishing kit, known for employing extensive traffic filtering methods to thwart bot activity and analysis attempts, requires website visitors to complete a Cloudflare Turnstile challenge before redirecting users to a credential collection page.
Tycoon also shares operational and design similarities with the Dadsec OTT phishing kit, which increases the likelihood that developers can access and adapt the latter’s source code to suit their needs. The fact that the Dadsec OTT source code was leaked in October 2023 proves this.
“Developers have enhanced the stealth capabilities of the latest version of the phishing kit,” Sekoia said. “Recent updates may reduce security product detection rates of Tycoon 2FA phishing pages and infrastructure. Additionally, its ease of use and relatively low price make it very popular among threat actors.”
from Tech Empire Solutions https://techempiresolutions.com/new-phishing-attack-delivers-keylogger-disguised-as-bank-payment-notification/
via https://techempiresolutions.com/
No comments:
Post a Comment