InQuest Blog

A few days ago, we found an exciting Javascript file masquerading as a PDF that, upon activation, will drop and display a PDF (to maintain the ruse) as well as drop an executable. The document is a lure for the Korean Foreign Ministry document and its newsletter. The same attack was reported earlier by Malwarebytes in June.

Pegasus is an advanced cyber-espionage tool that includes plenty of functionality that allows you to spy on mobile users. Cybersecurity researchers are not aware of many of the vectors that the team uses to identify victims. One of them is sending the user a malicious link that exploits a specific vulnerability to install the implant. It is not a problem for them to know the victim's location using the GPS locator function. The attackers get access to the phonebook and also to the files stored on the victim's device. They can read SMS messages and view the call history.

Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.

According to the 2020 Verizon Breach and Investigation report, Email is still the most common vector by which organizations are attacked. The importance of implementing email security best practices, therefore, cannot be exaggerated, considering most enterprises rely heavily on this channel for everyday business communications. Unfortunately, threat actors can often trivially exploit the overlooked vulnerabilities of corporate email security through vulnerabilities like the HAFNIUM (CVE-2021-26855), malware or ransomware, phishing attacks, and accidental configurations or employee mistakes.

The Agent Tesla Remote Access Trojan (RAT) family of malware has had a long-standing presence in the threat landscape. This malicious software is sold as a remote access service for targeted systems, as such, the authors are constantly updating their malicious code to evade detection efforts. Attackers/customers of the service are also continuously developing and expanding their infrastructure to enhance their distribution/infection rates. Through analysis of one sample associated with such a campaign to send malicious files, we will see how they currently function and what new additions have been introduced into the latest versions.