Summary:
The CERT-AGID has reported a recent malware campaign that initially failed due to a missing activation string in the malicious email attachments. After revising their strategy, the attackers successfully deployed AgentTesla, a well-known infostealer, utilizing advanced encryption techniques to evade detection. The campaign highlights the challenges in malware deployment and the importance of proper integration of tools.
#MalwareCampaign #AgentTesla #CyberThreats
The CERT-AGID has reported a recent malware campaign that initially failed due to a missing activation string in the malicious email attachments. After revising their strategy, the attackers successfully deployed AgentTesla, a well-known infostealer, utilizing advanced encryption techniques to evade detection. The campaign highlights the challenges in malware deployment and the importance of proper integration of tools.
#MalwareCampaign #AgentTesla #CyberThreats
Keypoints:
- The CERT-AGID has previously recorded malware-laden emails with faulty activation mechanisms.
- Some attackers fail to properly integrate purchased tools like Malware as a Service (MaaS).
- A recent malicious campaign involved an email attachment that did not activate due to a missing delimiter string.
- The attackers revised their strategy and successfully deployed functional malware.
- The analyzed malware sample was a .NET file encrypted with AES, using a specific delimiter for key extraction.
- Cyberchef was utilized to decrypt the strings and obtain the executable, which was identified as AgentTesla.
- AgentTesla is a prevalent infostealer in Italy, known for frequently changing its loader and employing advanced encryption techniques.
- Indicators of Compromise (IoC) related to this campaign have been shared with accredited organizations.
MITRE Techniques
- Execution (T1203): Exploits vulnerabilities in software to execute malicious code via email attachments.
- Credential Dumping (T1003): Extracts credentials from the infected system to facilitate further attacks.
- Obfuscated Files or Information (T1027): Uses encryption and obfuscation techniques to hide the true nature of the malware.
- Command and Control (T1071): Establishes communication with compromised systems to receive commands and exfiltrate data.
IoC:
- [file name] AgentTesla
- [tool name] Cyberchef
- [others] FjDyD6U
- [others] X8mnGBm