The xlsb mail attachment contacts a url and downloads the malware from an opendir, which also contains Ursnif/Gozi and is constantly updated.
Technical analysis by the Malware Hunter JAMESWT
New RFQ-themed AgentTesla global campaign. The exe inside the compressed attachment is the malware itself. Furthermore, the data is exfiltrated via Telegram API instead of FTP or SMTP
New global AgentTesla campaign on product orders. The bait is a Request For Quotation (RQF) and an order.
The email contains a compressed file in 7Z format, with an executable (the malware itself) inside. When opened, it steals sensitive information from victims and exfilters it via the Telegram API, rather than via FTP or SMTP as is traditionally the case.
AgentTesla, in fact, through the keylogger function, is able to acquire everything the user types. Additionally, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.
Telegram API has already been used by cybercrime to control malware such as T-RAT, RATAttack, HeroRAT, TeleRAT, IRRAT, RAT-via-Telegram and Telegram-RAT
Furthermore, the Telegram API has already been used by cybercrime to control malware (in particular Remote Access Trojan), which targets mobile devices. In fact, it happened with T-RAT, RATAttack, HeroRAT, TeleRAT, IRRAT, RAT-via-Telegram and Telegram-RAT. This is because criminal hackers can access infected computers faster and easier from anywhere, to activate data theft features as soon as a victim is infected and especially before the presence of the RAT is discovered. In addition, the messenger ensures ease of installation and use of the malware.