A large-scale spam campaign bent on spreading info-stealing malware is applying advanced obfuscation techniques to get around security scanning and maximize infection rates.
According to Lastline researchers, a large botnet is distributing malicious rich text format (RTF) documents that act as downloaders for well-known info-stealers, such as Agent Tesla or LokiBot. These malware variants steal a variety of credentials – including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials. The effort is linked to another recent spam campaign identified by Cisco Talos, Lastline said.
The firm found that many of the targeted entities are within the education sector in the Asia-Pacific region; however, the campaign also seems to be using a second, “spray-and-pray” approach on other potential victims.
“Some email subjects were quite generic, which implies that attackers used the spam campaign to target the generic public,” according to an analysis, published Thursday. In other cases, “email subjects were customized to specific targets or events, aiming to maximize its infection rate.”
The researchers found that the campaign uses common attack techniques, such as data obfuscation and VBA scripting, but that it also goes to great lengths to hide its infection processes.