HackRead: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs https://www.hackread.com/agent-tesla-variant-excel-exploit-windows-pc/ #Vulnerability #AgentTesla #Microsoft #Security #Phishing #security #Malware #Windows #Scam

HackRead: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs https://www.hackread.com/agent-tesla-variant-excel-exploit-windows-pc/ #Vulnerability #AgentTesla #Microsoft #Security #Phishing #security #Malware #Windows #Scam

HackRead: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs https://www.hackread.com/agent-tesla-variant-excel-exploit-windows-pc/ #Vulnerability #AgentTesla #Microsoft #Security #Phishing #security #Malware #Windows #Scam

📬 Malware-Gefahren im Jahr 2023: Qbot unangefochten auf Platz eins
#ITSicherheit #Malware #AgentTesla #CheckPointSoftware #DirectoryTraversal #log4j #NanoCore #Qakbot #RemoteCodeExecution #RemoteAccessTrojaner https://tarnkappe.info/artikel/it-sicherheit/malware/malware-gefahren-im-jahr-2023-qbot-unangefochten-auf-platz-eins-275138.html

Cyberchef protip for decimal obfuscated links:

http:// OOOW3OOOOOOO233OOOOOO23OO33B2OB32O32O32B3O23BO33O3S0DFSDF0X000F0SD0000WLLL21LLLLL222LLLLL3333LELLL@3324948138/bg...................................doc

#agenttesla

Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264

As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.php

PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6

SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c

#infosec #cybersecurity #blueteam

#PureCrypter used to deliver #AgentTesla to govt organizations

https://securityaffairs.com/142749/hacking/purecrypter-deliver-agenttesla.html

#PureCrypter used to deliver #AgentTesla to govt organizations
https://securityaffairs.com/142749/hacking/purecrypter-deliver-agenttesla.html
#securityaffairs #hacking #malware

Hrmm...don't recall #agenttesla using webhooks on discord before..

https://app.any.run/tasks/123a8b5b-3004-488e-8dd8-a82aebeadf5d

#AgentTesla
-> documents2435466.iso
->documents2435466.exe
66b45476e26891255cb747a1c470d1ac

#purecryptor dropping #agenttesla

https://app.any.run/tasks/5907d10c-7691-4d53-ace6-c3b58ed08db8

Quick Tip 🛠️: Threat Actors like to use archiving tools for #malware delivery to avoid #detection and reduce file size. Today we spotted a .ace Archive containing #Formbook #infostealer. This technique is not new and also occasionally used for #AgentTesla, #RedLine etc.

ACE is a proprietary, legacy compression format. Unpacking these archives is dependend on the ACE version, e.g. "unace" v1.2 cannot handle ACE 2.0. We recommend https://github.com/droe/acefile by @droe if you ever come across such a file (screenshots see below).

FormBook #IoC

Files:
Archive e91b62f7952825d6a87775166301d018
Executable d539fcc11b4f5b96a1d89928f1ef87e7

C2:
allthekey[.]com
mgconsultantlogistics[.]com
bonaccorso[.]online
vowlashes[.]co[.]uk

#AgentTesla
43723dfa8e7a99421cb5d50cf28c86a5
-> Action Required - SIEMENS Energy -PO- 216238068.msg
-> 2023 SIEMENS Energy -PO- 216238068 DOC .zip
->2023 SIEMENS Energy -PO- 216238068 DOC.exe

Campaña #AgentTesla #RAT #Ransomware fichero de descarga doblemente comprimido y tamaño superior al permitido por #sandbox
IOC hxxps://www/.mediafire/.com/file/166zplwbg6s85dk/Inquiry+for+Uzbekistan+Customers.tgz/file
https://www.joesandbox.com/analysis/1149532

@malware_traffic Thx. Working on my PE reversing skills. Apparently #AgentTesla is .NET. dnSpy seems pretty straightforward to reverse this sample. You can see the URL that it'll reach out to and what string it uses to XOR the payload with.

#ReverseEngineering

I forgot #AgentTesla apparently stopped a while back, and one of the new Agent Tesla variants is called #OriginLogger.

I wrote a Unit42 tweet about this traffic, now posted at: https://twitter.com/Unit42_Intel/status/1611379660029366273

#pcap of the infection traffic, sanitized copy of the email, associated malware, and IOCs are now available at: https://www.malware-traffic-analysis.net/2023/01/05/index.html

2023-01-05 (Thursday) - malspam pushing #AgentTesla

email --> attached .iso image --> extracted .exe --> guloader-style traffic --> Agent Tesla email data exfitration

Email available at: https://app.any.run/tasks/e906d78f-156e-498d-9a3b-79956d87e4d6

ISO available at: https://app.any.run/tasks/f66ff4ba-a97c-4ab4-bc11-b7030d85c4e1

Analysis of EXE available at: https://tria.ge/230105-28w1gsdf29

This is a #guloader-style EXE that loads an XOR-encoded binary from hxxp://savory.com[.]bd/sav/Ztvfo.png every time the infected host is logged in or rebooted.

Analysis of decoded DLL from savory.com[.]bd available at: https://tria.ge/230105-3xms4shc6s

#agenttesla
HIRE PAYMENT FOR DECEMBER 2023.msg -> Swift Copy. zip -> Swift Copy.exe
5a4a1e69a0109e2cecc4327eb9ca3eef

2023-01-02 (Monday): from info I posted at https://twitter.com/malware_traffic/status/1609964048824647681

This is the first malware sample I've looked into for 2023!

#SnakeTracker sample at https://bazaar.abuse.ch/sample/c0e8dcf4096de51fec0709a1e6778923be7f5320389e38cf6b93965ef4daa904

Interesting (to me) data exfiltration over SMTP, similar to what I've seen before with #AgentTesla, but this looks specific to the #SnakeTracker family.

Malware Bazaar tagged this as #SnakeKeyLogger, but I didn't let this run long enough to get any actual keylogging. Based on what I'm seeing, it calls itself "Snake Tracker" instead of Snake Key Logger.

#AgentTesla
46412cefc3371fb14abb6f2f771dc72d