Sansec cybersecurity experts: The new parasitic malware, spread by CronRAT, hijacks a host Nginx application to masquerade its presence.
Technical analysis by the Malware Hunter JAMESWT
False e-mail on RFQ/purchase order conveys Agent Tesla. The email gz attachment contains an exe: the malware itself. This, if opened, activates the infection chain. Stolen data is then exfiltrated via smtp
A fake email on a RFQ/purchase order from an Indian courier spreads the latest Agent Tesla campaign.
The gz attachment contains an exe: the malware itself. If this is opened, activates the infection chain. Once inside the victim’s computer, it steals information and exfilters it via smtp.
Agent Tesla, in fact, through the keylogger function, is able to acquire everything the user types. Furthermore, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.