Keypoints
- AgentTesla operators have intensified malspam in Italy, favoring PDF attachments as the initial lure.
- PDFs display a fake error prompting the user to click a “Reload” control, which triggers a link to download a malicious JavaScript file.
- The downloaded file uses a deceptive double extension (e.g., “.pdf . . . .js”) to hide the true .js extension from users.
- Obfuscated JavaScript downloads and executes a PowerShell script hosted on a Bitbucket repository, which decodes binary data into the AgentTesla executable.
- The AgentTesla payload is loaded and executed directly in memory (not written to disk), hindering static analysis and detection.
- Extracted credentials and system information are sent to a Telegram bot for exfiltration and remote access by operators or buyers.
- Targeted data sources include many browsers, email clients, FTP clients, instant messaging apps, and password managers.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – PDF malspam used as the initial delivery: ‘AgentTesla operators have strengthened their malspam campaigns in Italy… greater use of PDF attachments.’
- [T1566.002] Phishing: Spearphishing Link – PDF contains links that initiate payload download: ‘These documents contain links that, once used, initiate the download of files with malicious JavaScript code.’
- [T1059] Command and Scripting Interpreter – Use of obfuscated JavaScript to fetch and run further scripts: ‘The deliberately obfuscated JavaScript code aims to download and execute a PowerShell script…’
- [T1105] Ingress Tool Transfer – Downloading the PowerShell script from an online repository: ‘…taken from a Bitbucket repository.’
- [T1027] Obfuscated Files or Information – Obfuscation used to hide payload intent and binary contents: ‘The deliberately obfuscated JavaScript code…’
- [T1055] Process Injection (In-memory execution) – Binary generated by the script is not written to disk but executed in memory: ‘The binary generated by the PowerShell script is not saved to disk but is instead loaded and executed directly in memory.’
- [T1041] Exfiltration Over C2 Channel – Use of a Telegram bot to transmit stolen host details and credentials: ‘information about the compromised machine… is sent to a Telegram bot.’
Indicators of Compromise
- [File extension/name] Malicious JS disguised as PDF – example: “filename.pdf . . . .js” (double-extension with spaces) used to mask the true .js file.
- [Repository source] Hosting of PowerShell script – example: Bitbucket repository (PowerShell script fetched from Bitbucket; no direct URL provided).
- [C2 channel] Telegram exfiltration endpoint – example: Telegram bot used to receive stolen host info and credentials (no bot handle provided).
The attack begins with malspam containing a PDF attachment that visually prompts the user to click a fake “Reload” button; that interaction points to a URL which retrieves a JavaScript file. The downloaded file deliberately uses a double-extension (“.pdf . . . .js”) with spaces to mislead recipients into believing it is benign while hiding its JavaScript nature.
The obfuscated JavaScript executes in the victim environment to fetch a PowerShell script hosted on a Bitbucket repository. The PowerShell script contains encoded/binary values which are transformed via simple substitutions into a Windows executable; that executable is not written to disk but reconstructed and executed directly in memory to reduce detection and analysis opportunities.
Post-compromise activity includes credential harvesting from a wide range of browsers, email clients, FTP clients, and messaging applications. Collected system details and credentials are packaged and transmitted to a Telegram bot, providing operators (or downstream buyers) with remote access and “turnkey” illicit access to compromised accounts and systems.