In a blog post, researchers Edmund Brumaghin and Holger Unterbrink said the attackers behind this malware campaign - which has not been given a name as yet - used a well-known exploit chain but modified it so that anti-virus software would not be able to detect it.
Agent Tesla can steal user login information from the following applications: Chrome, Firefox, Internet Explorer, Yandex, Opera, Outlook, Thunderbird, IncrediMail, Eudora, FileZilla, WinSCP, FTP Navigator, Paltalk, Internet Download Manager, JDownloader, Apple keychain, SeaMonkey, Comodo Dragon, Flock and DynDNS.
It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.
Brumaghin and Unterbrink said other malware besides Agent Tesla and Loki were also being downloaded to infected Windows computers - malicious apps like Gamarue which can take over an infected machine and is a typical information stealer.
"The actor(s) behind this malware used the RTF standard because of its complexity, and used a modified exploit of a Microsoft Office vulnerability to download Agent Tesla and other malware," the two researchers said.
"It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode.
"Either way, this shows that the actor or their tools have ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability. This is a technique that could very well be used to deploy other malware in a stealthy way in the future."