A sophisticated phishing campaign has recently been uncovered, delivering the notorious Agent Tesla malware through a cleverly designed multi-phase attack that leaves minimal traces on targeted systems. Leveraging business-themed phishing emails and advanced evasion techniques, this campaign underscores the evolving threat posed by commercially available malware in the hands of adept cybercriminals.
Phishing Tactics and Malware Delivery
The attackers are utilizing emails that mimic business communications, embedding obfuscated scripts and executing them directly in memory to extract sensitive information from Windows users. This approach allows the malware to bypass many security tools, highlighting the danger of commercially available malware when utilized by skilled individuals.
Agent Tesla, a malware-as-a-service offering, has been a favorite among cybercriminals since its emergence in 2014. Its ability to steal browser credentials, track keystrokes, and access email account details makes it a formidable tool. Despite being well-known, its delivery mechanisms continue to evolve, keeping it one step ahead of traditional security measures.
Complex Attack Chain and Evasion Techniques
Researchers from Fortinet have documented this campaign, pointing out that the true threat lies not in the malware itself, but in the sophisticated delivery pipeline crafted to deploy it. The attack chain is meticulously designed to evade detection at multiple stages, from the initial phishing email to the final payload executing entirely in memory.
The operation begins with a phishing email masquerading as a business inquiry, featuring subject lines such as “New Purchase Order PO0172.” The email includes a RAR file attachment containing an obfuscated JScript Encoded file. This method circumvents email filters that typically block executable files, allowing the attack to proceed automatically once the attachment is opened by the user.
Memory-Only Execution and Anti-Analysis Measures
A standout feature of this attack is its ability to transition from a simple script to an active payload without writing anything to the disk. The JSE file fetches an encrypted PowerShell script from catbox[.]moe, which uses a custom AES-CBC decryption routine to decrypt subsequent stages directly in memory.
The PowerShell script then performs process hollowing on the aspnet_compiler.exe process, injecting the Agent Tesla payload into it. This tactic, combined with anti-analysis measures like checking for virtual environments and specific DLL files, ensures the malware remains undetected by traditional security solutions.
To counter such threats, security teams should block script-based email attachments and enforce PowerShell execution policies. Tools capable of detecting memory-based injection and process hollowing are crucial, as is monitoring outbound SMTP traffic for signs of data exfiltration. Regular employee training on phishing awareness remains a vital defense against such social engineering attacks.
