LATAM Under Siege: Agent Tesla’s 18-Month Credential Theft Campaign Against Chilean Enterprises

MITRE Techniques

• [T1566.001 ] Phishing: Spearphishing Attachment – The attack began with a malicious RAR attachment delivered as a finance/procurement lure [‘RAR archive with financial lure delivered via email’]
• [T1027 ] Obfuscated Files or Information – The dropper used a JScript Encoded Script and fake extensions to hinder inspection [‘JScript Encoded .jse dropper evades AV’; ‘unusual extension is intended to confuse automated scanners’]
• [T1059.007 ] JavaScript – The .jse dropper was executed by Windows Script Host via wscript.exe [‘wscript.exe executes .jse dropper’]
• [T1059.001 ] PowerShell – PowerShell stagers were launched with execution policy bypass to run payloads [‘Stager with -ExecutionPolicy Bypass’]
• [T1055.012 ] Process Hollowing – ALTERNATE.dll injected Agent Tesla into aspnet_compiler.exe to run inside a trusted process [‘ALTERNATE.dll injected into aspnet_compiler.exe’]
• [T1027.002 ] Software Packing – The loader used .NET Reactor 6.x virtualization and control flow obfuscation to resist static analysis [‘.NET Reactor 6.x with VM + control flow obfuscation’]
• [T1555.003 ] Credentials from Web Browsers – The payload accessed Chrome and Firefox credential stores to steal saved passwords [‘Chrome, Firefox credential store access confirmed’]
• [T1048.003 ] Exfiltration Over Alternative Protocol: FTP – Stolen data was sent to a cleartext FTP server for collection [‘Cleartext FTP to ftp.horeca-bucuresti.ro:21’]
• [T1082 ] System Information Discovery – The stealer enumerated CPU, RAM, OS version, hostname, and username before exfiltration [‘CPU, RAM, OS version enumeration pre-exfil’]
• [T1016 ] System Network Configuration Discovery – The malware queried ip-api.com to fingerprint the victim’s network context [‘External IP lookup via ip-api.com’]