Attackers can get root by crashing Ubuntu’s AccountsService
Attackers can get root by crashing Ubuntu’s AccountsService
Police arrests ransomware affiliate behind high-profile attacks
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
DHS announces ‘Hack DHS’ bug bounty program for vetted researchers
Windows 11 KB5008215 update released with application, VPN fixes
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Malware phishing campaign
A new variant of the Agent Tesla malware has been spotted in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.
Agent Tesla is a .Net-based info-stealer that has been circulating the internet for many years but remains a threat in the hands of phishing actors.
In June 2021, we reported about the active distribution of Agent Tesla in DHL-themed phishing campaigns that relied on the atypical WIM file attachment.
In the most recent campaign, researchers at Fortinet explain that threat actors are targeting Korean users with emails that allegedly contain “order” details.
Because the attachment is a PowerPoint file, the chances of convincing the recipients they need to “enable content” on Microsoft Office to view it properly increase.
If opened, the file doesn’t present any slides but instead launches an auto-run VBA function that calls for the execution of a remote HTML resource at a remote site.
After the escaped VBScript code is executed, the actor can use a range of scripts, including PowerShell, to stealthily deliver Agent Tesla.
Fortinet has spotted the following scripts and their role:
The malware is injected into the legitimate Microsoft .NET RegAsm.exe executable via four Windows API functions. By injecting the file into RegAsm.exe, Agent Tesla can operate in the infected system file-less, so the chances of being detected drop significantly.
Agent Tesla features a keylogger, a browser cookie and saved credentials stealer, a Clipboard data sniffer, and even a screenshot tool.
The attacker can choose which features to enable during the payload compilation, thus choosing between a balance of power and stealthiness.
In total, Agent Tesla can snatch data from over 70 applications, with the most popular ones listed below.
Chromium-based Web Browsers:
Epic Privacy, Uran, Chedot, Comodo Dragon, Chromium, Orbitum, Cool Novo, Sputnik, Coowon, Brave, Liebao Browser, Elements Browser, Sleipnir 6, Vivaldi, 360 Browser, Torch Browser, Yandex Browser, QIP Surf, Amigo, Kometa, Citrio, Opera Browser, CentBrowser, 7Star, Coccoc, and Iridium Browser
Web Browsers:
Chrome, Microsoft Edge, Firefox, Safari, IceCat, Waterfox, Tencent QQBrowser, Flock Browser, SeaMonkey, IceDragon, Falkon, UCBrowser, Cyberfox, K-Meleon, PaleMoon
VPN clients:
OpenVPN, NordVPN, RealVNC, TightVNC, UltraVNC, Private Internet Access VPN
FTP clients:
FileZilla, Cftp, WS_FTP, FTP Navigator, FlashFXP, SmartFTP, WinSCP 2, CoreFTP, FTPGetter
Email clients:
Outlook, Postbox, Thunderbird, Mailbird, eM Client, Claws-mail, Opera Mail, Foxmail, Qualcomm Eudora, IncrediMail, Pocomail, Becky! Internet Mail, The Bat!
Downloader/IM clients:
DownloadManager, jDownloader, Psi+, Trillian
MySQL and Microsoft Credentials
When it comes to exfiltrating the collected data, the malware offers four ways to do it, namely HTTP Post, FTP upload, SMTP, and Telegram.
Each packet sent carries a number that signifies its type, and there are seven kinds of packets as detailed below:
Agent Tesla infections are very severe, but you can easily avoid them if unsolicited emails are deleted immediately upon reception.
PowerPoint documents should be treated with extreme caution, as VBA macros can be as dangerous as their Excel counterparts.
In summary, keep your Internet security shields up, your software up to date, your Microsoft Office macros disabled, and your curiosity in check.
Russian cybercrime gang targets finance firms with stealthy macros
Microsoft: These are the building blocks of QBot malware attacks
Phishing attacks use QR codes to steal banking credentials
Microsoft, Google OAuth flaws can be abused in phishing attacks
Convincing Microsoft phishing uses fake Office 365 spam alerts
Not a member yet? Register Now
Hackers start pushing malware in worldwide Log4Shell attacks
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Crypto investors lose $500,000 to Google Ads pushing fake wallets

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

New Twitter phishing campaign targets verified accounts

FBI: Cuba ransomware breached 49 US critical infrastructure orgsResearchers discover 14 new…

How cybercriminals adjusted their scams for Black Friday 2021

Hackers exploit Microsoft MSHTML bug to steal Google, Instagram credsApple sues spyware-maker…

TikTok phishing threatens to delete influencers’ accounts

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…