Threat actors have launched a new phishing campaign using fraudulent bank payment notifications to facilitate the deployment of the Agent Tesla information-stealing and keylogging malware, The Hacker News reports.
Attacks involved fake bank payment emails that with an attached archive file, which when clicked would trigger a malicious .NET-based loader that evades the Windows Antimalware Scan Interface while executing Agent Tesla, according to a report from Trustwave SpiderLabs.
"[The loader] employs methods like patching to bypass Antimalware Scan Interface (AMSI) detection and dynamically load payloads, ensuring stealthy execution and minimizing traces on disk. This loader marks a notable evolution in the deployment tactics of Agent Tesla," said Trustwave researcher Bernard Bautista.
Such a development follows a BlueVoyant report detailing TA544's exploitation of PDF documents to distribute WikiLoader malware, also known as WailingCrab, as well as a Sekoia report noting the increased utilization of the Tycoon phishing kit in adversary-in-the-middle attacks.