Zscaler ThreatLabz researchers discovered that the Agent Tesla remote access trojan is being spread using Quantum Builder in a new malware campaign involving LNK files, The Hacker News reports.
Spear-phishing emails purporting to be from a Chinese sugar supplier, which include a GZIP attachment that eventually triggers the launch of a remote HTML application, commence the attack, with the HTA file prompting the decryption and execution of a separate PowerShell script that then retrieves Agent Tesla, the report showed. Meanwhile, the second infection sequence variant involving a ZIP, instead of a GZIP file, was found to have use more obfuscation techniques to conceal malicious activity.
"Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations," said researchers.
This week, Dr. Doug raves about: 'The Orgy of the Walking Dead' or Elon is controlling my brain, Schoolyard Bully, Redigo, DuckLogs, Dod Alphabet soup, Sirius XM, Pixel Tracking, TSA, Single Sign-on rants, and more on the Security Weekly News!
Many of the organizations targeted by the group are designated as critical infrastructure, with the agencies flagging the financial services, government, healthcare, manufacturing and information technology sectors as top targets.