Computer News & Safety – Harry Waldron Rotating Header Image

Malware – Agent Tesla hides in animated GIF August 2018

In some of DHL fake billing statements being massively spammed, the Agent Tesla (keylogger) hides in an animated GIF which is usually an unexpected attack method

https://isc.sans.edu/forums/diary/DHLthemed+malspam+reveals+embedded+malware+in+animated+gif/23944/

On Wednesday 2018-08-01 myonlinesecurity.co.uk tweeted about a recent example of malicious spam (malspam) pushing malware.  In recent weeks, this type of malspam has been pushing malware using the Agent Tesla keystroke logger.  It looks like Agent Tesla is still involved with today’s malspam, but this time, it’s not so straight-forward.  An Agent Tesla binary was found hiding in an animated gif.

The HTTP request to mydocuments1.is returned an animated gif, which is somewhat strange.  Outside of the embedded malware in the animated gif, I couldn’t find anything unusual in my lab setup.  I could not find either items of malware extracted from the gif in my infected lab host, and I didn’t see any Agent Tesla-specific traffic during the infection.

Criminals have embedded malware in images before, so this is not a new trick.  Still, I don’t commonly run into this technique among the mass-distribution malware I frequently see.  Embedding malware in an animated gif might provide a way to avoid detection by security solutions.  As I write this, the gif shows a detection ratio of 3 / 58 in VirusTotal.

Comments are closed.