ESET cybersecurity experts: It’s a banking trojan that has already targeted users from Poland, impersonating Bolt Food. Goal: to steal banking-cryptocurrency credentials.
AgentTesla is now delivered with .xll attachments. Files packaged with Excel-DNA from which a dll is extracted that contains two urls pointing to Discord. These download data files and encode them with XOR creating additional DLLs, which initiate the malware infection
New cybercrime technique to convey AgentTesla, bypassing antivirus: xll attachments, packaged with Excel-DNA.
The two files in the fake email, sent by a real company in India, create a dll if opened. This contains two URLs on Discord, which download DATA files and proceed to an XOR encoding with the “FuckMicrosoft123” key, transforming them into a dll, which starts the malware infection. It is the first time that Agent Tesla has been disseminated in this way in the cybersecurity landscape. It is not clear, however, whether the malicious code uses ftp or smtp to exfiltrate the stolen information once it is installed on the victim’s machine. The malware, in fact, through the keylogger function, is able to acquire everything the user types. Furthermore, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.