Tuesday, October 15, 2024
HomeCyber Security NewsAgentTesla Stealer Delivered Via Weaponized PDF and CHM Files

AgentTesla Stealer Delivered Via Weaponized PDF and CHM Files

Published on

Malware protection

AgentTesla, a notorious information stealer, is observed spreading via CHM and PDF Files, which covertly harvest critical information from the victim’s computer.

The stealer has features including keylogging, clipboard data capture, file system access, and data transfer to a Command and Control (C&C) server.

According to CRIL, its tactical changes maintain its serious threat to organizations and allow it to continue accessing priceless data.

- Advertisement - SIEM as a Service

Due to its adaptability, it may be used to exploit a variety of attack vectors, including email attachments, malicious URLs, and document-based intrusions.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

AgentTesla Delivered Via CHM File

An AgentTesla infection begins on the victim’s computer by a PowerShell script retrieved through a spam email containing a CHM file. 

A lure is used in the specially designed CHM file. Based on the information in the CHM file, it appears to be aimed at people or organizations working in network engineering, telecommunications, or information technology.

Malicious CHM file
Malicious CHM file

This CHM file secretly downloads and runs a PowerShell script from the remote server when the user opens it. The PowerShell script conceals harmful code by using encoded binary strings.

Infection Chain
Infection Chain

The malicious PowerShell script drops a loader DLL file based on the .NET framework, which injects the AgentTesla payload into system executables.

AgentTesla Delivered Via PDF File

In this case, this PDF uses two different strategies to spread the infection. In the first technique, the PDF triggers a PowerShell command that loads the AgentTesla malware. 

Two URLs Embedded in the PDF File
Two URLs Embedded in the PDF File

The second technique shows a fake message when the PDF is accessed, and when users click the “Reload” button, a PPAM file is downloaded.

The PowerShell operations executed by this PPAM file download the AgentTesla malware.

Recommendations

  • Use effective email filtering solutions to identify and stop spam, phishing scams, and harmful attachments.  
  • Avoid clicking on dubious links and opening email attachments.
  • Install a trusted Internet security and antivirus software on all of your linked devices.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...