Novel SideTwist, Agent Tesla variants deployed in new phishing attacks

Two separate phishing campaigns have been distributing the new variants of the SideTwist and AgentTesla backdoors, according to The Hacker News. Attacks spreading the SideTwist variant were launched by Iranian advanced persistent threat group APT34, also known as Helix Kitten, OilRig, Hazel Sandstorm, and Cobalt Gypsy, which facilitated compromise through a Microsoft Word document laced with a malicious macro, a report from NSFOCUS Security Labs revealed. Researchers found that the SideTwist variant executed by the macro was compiled through GCC and received commands from a remote server. Meanwhile, a Fortinet FortiGuard Labs report showed another phishing campaign that involved the use of a malicious Excel file that exploited old Microsoft vulnerabilities, tracked as CVE-2017-11882 and CVE-2018-0802, to deploy a new Agent Tesla variant. "The Agent Tesla core module collects sensitive information from the victim's device. This information includes the saved credentials of some software, the victim's keylogging information, and screenshots," said researcher Xiaopeng Zhang.