Yesterday I spotted a piece of JavaScript script that delivers Agent Tesla[1]. New waves of this information stealer trojan are regularly spread to victims. PE files are delivered through downloader scripts attached to phishing emails. Those scripts are regularly updated and the one I found yesterday was interesting. The file was delivered as a 7z archive pretending to content a product catalog. Inside the archive, there was a JavaScript called “Product Specification #87305.js” (SHA256:2c15a96371122649e0c47c4e1af2eff14860a7d8fafc6f71267ea5035d5d4201). The file has a current VT score of 15/55[2].
Article Link: https://isc.sans.edu/diary/rss/28050