Malicious Compiled HTML Help File Delivering Agent Tesla

May 19, 2022

The initial attack sent a 7zip compressed file named ORDER OF CONTRACT-pdf.7z, which contained the single malicious compiled HTML help file ORDER OF CONTRACT-pdf.chm (SHA256: 081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa). The file contains obfuscated JavaScript that is executed when the file is opened. When the Javascript code in turn executes obfuscated PowerShell code which is executed in the background when the file is opened. The powershell payload downloads a second stage payload from the internet, which is a powershell loader. When the powershell loader is run, it in turn loads Agent Tesla to memory.

Featured Resources

View More Resources

blog

Shai-Hulud 2.0: NPM Supply Chain Attack Exposes the SDLC's Weakest Link

Idan Sherman, Security Researcher Executive summary The "Shai-Hulud" supply chain campaign has returned, striking harder and smarter than before. This

blog

Top 5 Must-Have Features in an Exposure Management Platform

Security teams are under growing pressure to reduce risk faster and prove resilience continuously. Attack surfaces expand with every new

Solution Brief

Continuous Wiz Validation and Optimization

Make CTEM actionable with continuous threat validation that proves and improves your real-world resilience.

Malicious Compiled HTML Help File Delivering Agent Tesla

Featured Resources

Shai-Hulud 2.0: NPM Supply Chain Attack Exposes the SDLC's Weakest Link

Top 5 Must-Have Features in an Exposure Management Platform

<img width="169" height="102" src="https://cymulate.com/uploaded-files/2023/08/Wiz-Defend_Certified-Integration-1.svg" alt="" class="kb-img wp-image-31752"/> Continuous Wiz Validation and Optimization

Continuous Wiz Validation and Optimization