Beware — that bank payment notice could actually be a damaging new malware

Be careful when receiving payment slips from Polish banks

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are mailing people a never-seen-before loader, designed to drop the Agent Tesla infostealer on their devices, experts have warned.

Researchers from Trustwave SpiderLabs first observed this campaign in early March 2023, deteching hackers are sending out phishing emails apparently impersonating a Polish bank.

The email message is seemingly a bank payment notification, and it comes with an archive file attachment, called Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz, which roughly translates to “proof of payment” - but opening the file triggers the installation of the Agent Tesla infostealer.

Keylogger, screenshot grabber, infostealer

“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods,” researchers said. “The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic.”

The loader can also work around the Windows Antimalware Scan Interface (AMSI), it was said, by “patching the AmsiScanBuffer function to evademalwarescanning of in-memory content.”

Finally, once Agent Tesla is decoded and executed in memory, the attackers can pull sensitive data via SMTP, using what seems to be a legitimate, but compromised email account belonging to a security system supplier from Turkey.

Agent Tesla is a remote access trojan (RAT) written in .NET. Different threat actor groups have been actively using it for a decade now, to target victims using theMicrosoftWindowsoperating system. Security experts deem it a versatile malware with numerous features, from stealing information, to logging keystrokes, to grabbing screenshots.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Since its release in 2014, Agent Tesla has been frequently updated, and is now being offered as a service, with multiple subscription packages.

Last time we heard of Agent Tesla was in December last year, when Zscaler ThreatLabs observed hackers abusing an ancient Office flaw to deploy the infostealer.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time