Agent Tesla's New Ride: The Rise of a Novel Loader

SpiderLabs has disclosed details of a new campaign that utilized a novel loader to ultimately deploy Agent Tesla on targeted systems. Researchers note that they identified a phishing email on March 8, 2024, which contained a seemingly harmless archive masquerading as a legitimate payment receipt from a bank. However, concealed in the archive was a .NET loader capable of bypassing antivirus defenses and retrieving an encoded payload using specific URLs and user agents leveraging proxies to further obfuscate traffic. Two variants of the loader were identified, each utilizing a different decryption routine to retrieve its configuration and decrypt the XOR-encoded Agent Tesla payload accessed from a remote location. With Agent Tesla being executed, actors can conduct malicious activities including keystroke logging, credential theft, and data exfiltration which in this case is done using the Simple Mail Transfer Protocol (SMTP).

Analyst Comments:
Loaders are commonly employed in attacks given their stealth-like nature to evade defenses and security tools and deploy malicious payloads like Agent Tesla for further operations. In the case of the latest campaign, researchers note that before the loader initiates the retrieval of Agent Tesla it will bypass the Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function to evade malware scanning of in-memory content. Furthermore, one of the variants of the loader will employ an HTTP proxy server sourced from an open-source list on GitHub to initiate the download of the payload. “This approach generates numerous network packets and significant noise, potentially complicating network traffic analysis and detection efforts,” state researchers.

Another tactic highlighted in this campaign is that the actors used an email compromised email account associated with a legitimate security supplier in Turkey to exfiltrate data collected by Agent Tesla. While this tactic is not novel, such methods enable actors to hide attribution.

Suggested Corrections:
Given phishing is employed as an initial infection vector, organizations should train employees on various phishing techniques and hold regular tabletop exercises to increase awareness and proficiency in detecting/deterring potential attacks. In the latest campaign, actors were observed using a compromised email address to exfiltrate data, highlighting the need for users to employ strong passwords, frequently rotate credentials, and implement multi-factor authentication.