Double AgentTesla campaign from China. A zip attachment contains an iso with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP

The “Re:Fw:Inquiry for 2023 New Products Prices” coming formally from China is the bait for a new double AgentTesla campaign.

The message contains two zip attachments: “New Prices List” and “Old Prices”. The first one contains an iso with an exe inside: the malware. In the second, there is a pdf file with a link, that downloads a password protected zip file (written in the pdf document), that hosts the same exe/malware of the “New Prices List” file. Stolen data are exfiltrated by SMTP.

AgentTesla, through the keylogger function, is able to acquire everything the user types. Also, it can steal emails and browser credentials and take screenshots. Finally, it has the ability to remotely issue commands to the infected PC, such as downloading additional payloads or updating existing ones.