Agent Tesla & Dridex

Industry: N/A | Level: Operational | Source: PaloAlto - Unit42

Research from Palo Alto Unit42 identified a rise in the distribution of Agent Tesla and Dridex malware from July 27th to December 1st, 2021. Although the activity is not likely to be associated with the same threat actor, the infection chain follows a similar path between the malware. The malware is delivered through phishing mails containing malicious files with Dridex being dropped from Excel 4.0 macros, with XLL droppers used for both Dridex and Agent Tesla. For Agent Tesla, the malware is dropped through the XLL document in which a dropper will download the Agent Tesla payload or the Agent Tesla payload is downloaded through Discord. In terms of Dridex both the Excel macro or XLL file is applicable in retrieving the Dridex Loader from Discord.

• Anvilogic Scenarios:
• Malicious Document Delivering Malware
• HTA Payload Drop
• Dridex Behaviors
• Agent Tesla