A newly identified loader has been linked to the distribution of the Agent Tesla malware, a potent infostealer utilized by threat actors for malicious activities such as data exfiltration. The loader, compiled with .NET, employs sophisticated evasion techniques to bypass security measures and execute payloads. This loader stands out for its polymorphic behavior and decryption routines, enhancing its stealth and making detection and mitigation more challenging. The use of specific user-agent strings, proxies, and bypassing techniques like AMSI evasion contribute to the loader’s effectiveness in deploying malware.
SpiderLabs recently discovered a phishing email on March 8, 2024, carrying a disguised loader that initiated the deployment of Agent Tesla through an infection chain. The loader’s polymorphic behavior, distinct decryption routines, and evasion tactics demonstrate a skilled integration of methods to enhance malware distribution.
The loader’s ability to download and execute payloads exclusively in memory allows for minimal detection and leaves no trace on disk, further emphasizing its stealthy approach. This loader, coupled with the Agent Tesla infostealer, poses a significant threat to cybersecurity as it can conduct malicious activities like keystroke logging and data exfiltration.
Indicators of Compromise for the loader and Agent Tesla, including MD5 and SHA256 hashes, email addresses, download URLs, and user-agent strings, have been identified to aid in detection and mitigation efforts. The versatility and evasiveness of this new loader suggest that it may be utilized to deploy other types of malware in the future, highlighting the ongoing threat posed by advanced malware loaders in the cybersecurity landscape.
