
We recently saw a malicious spam campaign that has AutoIT-compiled payloads – the trojan spy Negasteal or Agent Tesla (detected by Trend Micro as TrojanSpy.Win32.NEGASTEAL.DOCGC), and remote access trojan (RAT) Ave Maria or Warzone (TrojanSpy.Win32.AVEMARIA.T) – in our honeypots. The upgrading of payloads from a typical trojan spy to a more insidious RAT may indicate that the cybercriminals behind this campaign are moving towards deploying more destructive (and lucrative) payloads, such as ransomware, post-reconnaissance.
Read More