AgentTesla keylogger as fileless malware.

I am seeing a somewhat different to usual AgentTesla malspam campaign this morning. This is using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. It all starts with the Word doc attachment, which is actually a RTF file that is using the CVE-2017-11882 equation editor exploit. This calls out to https://bit.ly/2KtVnOo where you are redirected to https://wsdg.net/TECTED.xzz this is a renamed file that the rtf file renames to .exe, which is the downloader for the agent Tesla binary which is downloaded in Base64 encoded format from https://paste.ee/r/tbOr2 Continue reading →