AGENTTESLA

Malware Being Distributed by Disguising Itself as Icon of V3 Lite

The ASEC analysis team has discovered the distribution of malware disguised as a V3 Lite icon and packed with the .NET packer. The attacker likely created an icon that is almost identical to that of V3 Lite to trick the user, and AveMaria RAT and AgentTesla were discovered during the last month using this method. As shown in Figure 1, the icon looks almost identical to the actual V3 Lite icon. AveMaria is a RAT (Remote Administration Tool) malware with…

AgentTesla Being Distributed Through Windows Help File (*.chm)

The ASEC analysis team recently discovered AgentTesla being distributed with a new method. Previously, AgentTesla discussed in multiple ASEC blog posts was distributed by the malicious VBA macro inside PowerPoint files (*.ppt). However, the new method uses Windows Help files (*.chm) to run powershell commands. The malicious CHM files are distributed as compressed files attached to phishing emails imitating emails sent from DHL, a transport company. As phishing emails disguised as other topics are also being distributed, users need to…

AgentTesla Being Distributed via More Sophisticated Malicious PowerPoint Files

The ASEC analysis team has introduced malicious PowerPoint files that have been continuously distributed since last year. Recently, the team has discovered that various malicious features were added to the script that is run in the malicious PowerPoint file. The method the malicious file is run remains the same as the previous cases, and it performs features such as Anti-AV, and UAC Bypass, and execution of additional malware by a malicious script. When the PowerPoint file is run, a security…