March 27, 2024 at 04:09AM
A new phishing campaign discovered by Trustwave SpiderLabs involves a novel loader malware delivering Agent Tesla via a deceptive bank payment notification email. The malware evades detection and antivirus defenses, retrieves its payload using unique URLs, and exfiltrates data via legitimate email accounts. This tactic poses challenges for detection and attribution.
Key takeaways from the meeting notes on Newsroom Vulnerability / Cybercrime on Mar 27, 2024:
1. A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla. The campaign masquerades as a bank payment notification email and uses a malicious loader to activate the procedure to deploy Agent Tesla on the compromised host.
2. The loader uses obfuscation, polymorphic behavior, and specific URLs to bypass antivirus defenses and retrieve its payload using proxies to further obfuscate traffic.
3. The loader is written in .NET and bypasses the Windows Antimalware Scan Interface (AMSI) to ensure stealthy execution and minimize traces on disk.
4. Another phishing activity conducted by a cybercrime group leverages PDFs dressed up as legal invoices to propagate WikiLoader and establish connections with command-and-control (C2) server that almost exclusively encompasses hacked WordPress sites.
5. The use of a phishing kit called Tycoon has surged, allowing cyber criminals to target users of Microsoft 365 with phony login pages to capture their credentials, session cookies, and two-factor authentication (2FA) codes.
6. Tycoon incorporates extensive traffic filtering methods to thwart bot activity and analysis attempts, and it shares design-level similarities with the Dadsec OTT phishing kit, indicating possible source code modification.
Follow our Twitter and LinkedIn accounts for more exclusive content.
Let me know if you need further information or analysis on this.