A sophisticated phishing campaign is actively distributing Agent Tesla, a prevalent credential-stealing malware, through a multi-stage attack that largely avoids detection. This insidious method leverages business-themed emails, obfuscated scripts, and in-memory execution to silently pilfer sensitive data from Windows users. The campaign’s effectiveness highlights the significant threat posed by commercially available malware when wielded by skilled cybercriminals, as it can operate entirely within a victim’s RAM, evading traditional security measures.
Agent Tesla, a malware family active since at least 2014, remains a popular choice for cybercriminals due to its Malware-as-a-Service (MaaS) model. This model allows even individuals with limited technical expertise to deploy the malware without needing to develop it from scratch. Its capabilities include harvesting browser credentials, capturing keystrokes, and extracting email account details, which are then discreetly transmitted to an attacker-controlled server. Despite its long-standing presence, Agent Tesla continually evolves its delivery mechanisms to circumvent evolving defensive strategies.
Phishing‑Led Agent Tesla Campaign Utilizes Advanced Evasion Tactics
Fortinet researchers have identified this latest campaign, emphasizing that its danger lies not solely in the Agent Tesla malware itself, but in the intricately designed delivery pipeline. The attack chain progresses through multiple stages, each engineered to bypass specific detection points, from the initial phishing email to the final in-memory payload. This detailed planning suggests a deep understanding of endpoint security tools, with the attackers deliberately crafting the chain to circumvent them.
The attack commences with a phishing email designed to appear as a legitimate business inquiry, often carrying a subject line such as “New Purchase Order PO0172.” Attached is a compressed RAR file, named “PO0172.rar,” which contains an obfuscated JScript Encoded file, “PO0172.jse.” The use of a .jse file over a standard executable (.exe or .bat) is a deliberate tactic, as many email filters are configured to block executable files while allowing script files to pass through more readily. Once the user opens the .jse file, the attack proceeds automatically without requiring further user interaction.
The stolen data is ultimately exfiltrated to the attacker’s command-and-control server, identified at mail[.]taikei-rmc-co[.]biz, via SMTP. The observed attack chain follows this sequence: Email → RAR attachment → JScript loader (.jse) → PowerShell (downloaded) → PowerShell (in-memory) → .NET loader (in-memory) → .NET Agent Tesla payload (in-memory).
Inside the Attack: Memory Execution and Sophisticated Evasion Techniques
A particularly noteworthy aspect of this campaign is its ability to progress from a simple script to a fully functional malware payload without writing any residual files to the victim’s hard drive. Upon execution of the JSE file, it contacts a remote server, catbox[.]moe, to fetch an encrypted PowerShell script. This script employs a custom AES-CBC decryption function, referred to as Invoke-AESDecryption, incorporating PKCS7 padding to decrypt and execute the subsequent stage directly within memory.
By operating entirely in memory, the attack effectively leaves no disk-based artifacts for security tools to scan, significantly complicating detection efforts. The second-stage PowerShell script then executes a technique known as process hollowing. It targets “aspnet_compiler.exe,” a legitimate Windows .NET utility located in the C:WindowsMicrosoft.NETFrameworkv4.0.30319 directory. This process is initiated in a suspended state, its memory is then cleared, and the Agent Tesla payload is injected in its place. Operating under the guise of a trusted process name helps the malware evade signature-based detection tools.
Before initiating data collection, Agent Tesla performs environmental checks to ascertain if it is being subjected to analysis. It queries Windows Management Instrumentation (WMI) to detect the presence of virtualization software like VMware, VirtualBox, or Hyper-V. Additionally, it scrutinizes the system for specific DLLs commonly associated with security software, such as snxhk.dll (Avast), SbieDll.dll (Sandboxie), and cmdvrt32.dll (Comodo). If any of these indicators are detected, the malware may self-terminate to protect its operational infrastructure and prevent its discovery.
Once these environmental checks are passed, Agent Tesla proceeds to harvest sensitive information including browser cookies, saved login credentials, and contact details. This stolen data is then packaged into plain text files and transmitted externally via SMTP. Security teams are advised to implement robust defenses, including blocking script-based email attachments like .jse and .js files at the email gateway. Enforcing PowerShell execution restrictions through group policy is also recommended. Endpoint solutions capable of detecting in-memory injection and process hollowing are crucial for identifying threats that bypass disk-based detection methods. Monitoring outbound SMTP traffic for anomalies indicative of data exfiltration is another vital step. Furthermore, continuous phishing awareness training for employees remains a cornerstone of defense against social engineering attacks of this nature.