Huis » Hoe te verwijderen » Schadelijke proces » De beroemde infostealer “Agent Tesla” heeft een ongebruikelijke druppelaar

De beroemde infostealer “Agent Tesla” heeft een ongebruikelijke druppelaar

Cisco Talos discussed a malicious campaign aimed at stealing user credentials and other important information. They reported that the Agent Tesla infostealer had an unusual dropper.

Thij malware, whose attacks began in January, uses the original bootloader to bypass anti-virus protection and inject its code into a legitimate process on an infected machine. The payload is Agent Tesla, a well-known infostealer that can steal credentials from browsers, email clients, and FTP applications.

“The adversaries use custom droppers, which inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers”, - verslag doen van Cisco Talos specialists.

The uniqueness of the identified campaign lies in the methods used by cybercriminals to bypass security systems. The malware is delivered to the target device using a spam email, to which an archive with the ARJ extension is attached. The use of a popular packer in the 90s is dictated by the desire to make it difficult to detect malicious contentcybercriminals hope that email verification systems will not be able to process the outdated format.

The malware archive contains one executable file, which is an obfuscated Autoit script. After starting, it checks the presence of a virtual machine using a short list of processes and, if it is absent, extracts it in parts and generates a payload.

“The malware performs all operations in the device’s memory without leaving any traces on the hard disk, which makes it even more difficult to detect”, – say Cisco Talos researchers.

The installer code contains several functions that are not used in current attacks. Bijvoorbeeld, a script is able to download additional files from the Internet, as well as to work with the command line.

LEZEN  Keylogger HawkEye herboren in andere versie en opnieuw aanvallen bedrijven

At the final stage of the installation, the malware decodes the shell code, which is encrypted using the RC4 stream algorithm, and selects one of the legitimate processes for introducing the payload. This is the obfuscated version of the Agent Tesla malware that can extract information from browsers and other software.

Lees ook: Criminelen geven links naar RAT trojan in WebEx uitnodigingen

Infostealer is well known to information security specialists. Agent Tesla has been seen more than once during BEC campaigns. Afgelopen jaar, de Gold Galleon group used targeted mailings and social engineering methods to deliver malware to shipping companies’ computers. Targeted attacks using data theft programs allowed attackers to steal about $4 miljoen from transport operators with a low level of information security in six months.

[Totaal: 0    Gemiddelde: 0/5]

Over Trojan Killer

Carry Trojan Killer Portable op je memory stick. Zorg ervoor dat u in staat om uw pc te weerstaan ​​elke cyberdreigingen overal mee naar toe bent.

Controleer ook

MageCart op de Heroku Cloud Platform

Onderzoekers vonden verschillende MageCart Web Skimmers Op Heroku Cloud Platform

Onderzoekers van Malwarebytes rapporteerde over het vinden van een aantal MageCart web skimmers op de Heroku cloud-platform …

Android Spyware CallerSpy

CallerSpy spyware maskers als een Android-chat-applicatie

Trend Micro deskundigen ontdekte de malware CallerSpy, waarachter een Android chat-toepassing en, …

Laat een antwoord achter