A recent discovery by Trustwave SpiderLabs exposes a sophisticated phishing campaign deploying a novel loader malware to distribute Agent Tesla, a potent information stealer and keylogger. The attack, discovered on March 8, 2024, masquerades as a bank payment notification, luring victims into opening an archive attachment harboring the malicious payload. Employing obfuscation techniques and polymorphic behavior, the loader bypasses antivirus defenses to activate Agent Tesla stealthily on compromised systems, marking a significant advancement in cyber adversaries’ evasion tactics.
The loader, written in .NET, manifests two distinct variants, each utilizing different decryption routines to access configuration data and retrieve the XOR-encoded Agent Tesla payload. Evading detection further, the loader circumvents the Windows Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function, ensuring undetected execution. Upon activation, Agent Tesla operates surreptitiously in memory, enabling threat actors to clandestinely exfiltrate sensitive data via SMTP, leveraging compromised email accounts for anonymity.
Meanwhile, another cybercrime group identified as TA544 leverages PDFs disguised as legal invoices to propagate WikiLoader, establishing connections with command-and-control servers predominantly hosted on hacked WordPress sites. Notably, TA544 previously exploited a Windows security bypass flaw to distribute Remcos RAT via a loader family named IDAT Loader. These findings highlight a growing trend in sophisticated phishing activities and underline the need for heightened cybersecurity measures to thwart evolving threats effectively.
