Keypoints
- Agent Tesla campaigns in Nov 2023 targeted US and Australian organizations using malspam with ISO/.img attachments containing protected .NET payloads.
- Operators installed Plesk and RoundCube on rented servers, then used RDP and SSH to create webmail accounts and send phishing spam at scale (≈62,000 emails across campaigns).
- Delivered Agent Tesla samples were protected with the Cassandra Protector, which provides obfuscation, anti‑AV/anti‑emulation, signing, injection options (PE hollowing or .NET reflection), and persistence features.
- Attack chain involved phishing to harvest email credentials, user execution of attached ISO/.img files, and subsequent credential/keystroke theft from browsers and email clients.
- Cassandra Protector routines included copying to AppData, setting hidden/system attributes and ACLs, adding Scheduled Tasks for persistence, and adding Defender exclusions via PowerShell.
- Researchers linked two actors—“Bignosa” (primary) and “Gods” (associate/mentor)—via shared infrastructure, admin email changes, and communication traces; social media footprints aided de‑anonymization.
- IOCs include multiple actor‑controlled IPs, domains, email addresses, and file hashes for phishing pages; these were used to track campaigns and C2 infrastructure.
MITRE Techniques
- [T1566] Phishing – Actors sent spam emails impersonating order/delivery messages to induce clicks: ‘The spam emails are prepared abusing the formal mail from with the topic of purchasing goods and order delivery.’
- [T1204.002] User Execution: Malicious File – Victims executed the delivered attachment after clicking the email: ‘Agent Tesla sample protected by the Cassandra Protector is downloaded to the victim’s machine and executed.’
- [T1555.001] Credentials from Web Browsers – Agent Tesla harvested browser‑stored credentials: ‘…login credentials used in browsers (such as Google Chrome and Mozilla Firefox)’.
- [T1056.001] Input Capture: Keylogging – The malware captured keystrokes to steal credentials: ‘This malware can collect various types of data, including keystrokes…’
- [T1055] Process Injection – Cassandra Protector configured injection methods including PE Hollowing and .NET reflection to evade detection: ‘The injection option … can be a PE Hollowing or .NET Reflection to itself.’
- [T1053.005] Scheduled Task – Persistence was achieved by adding tasks to Scheduled Tasks: ‘For persistence Cassandra Protector adds the file to Scheduled Tasks.’
- [T1562.001] Impair Defenses: Disable or Modify Tools – Protector added Defender exclusion via PowerShell to evade endpoint defenses: ‘putting itself to Defender exclusion via Powershell:Add-MpPreference –ExclusionPath’.
- [T1027.002] Software Packing – The Cassandra Protector obfuscated and “protected” .NET payloads and the actor converted executables into ISO/.img to avoid detection: ‘used Cassandra Protector to obfuscate the samples’ initial code and later convert the executables into ISO.’
- [T1553.002] Subvert Trust Controls: Code Signing – Protector could sign the resulting file with a certificate to appear legitimate: ‘signing the resulting file with the certificate’.
- [T1071.001] Application Layer Protocol: Web Protocols – Malware used C2 communications (same C&C observed across campaigns) over application layer protocols to exfiltrate data and receive commands: ‘the same C&C as the campaign earlier in the month.’
Indicators of Compromise
- [IP Address] actor/infrastructure – 41.90.185.44, 91.215.152.7, and 5 more IPs observed controlling servers and RDP/SSH access (e.g., 41.90.177.10, 192.236.236.35, 79.110.48.6, 80.68.159.15).
- [Domain] actor‑controlled mail/webhosts – chserver.top-172.81.60.206 (Plesk/RoundCube host), sterdiffa-steel.ddndsfree.com.
- [Email] sender/administration addresses – [email protected], [email protected] used for campaigns and admin changes (also [email protected] seen in related phishing/reporting).
- [File name / attachment] malicious delivery – PDF.IMG (disguised Agent Tesla inside .img/ISO), files converted with ISO burner and attached as .img.
- [File hash] phishing/malspam artifacts – 8ba55cc754638714764780542eefd629c55703ecf63ae20d5eb65b8c14d3e645, 87709f72683c5ffc166f348212b37aadb7943b5653419f2f0edf694fb50f1878, 691761d401a6650872d724c30b7ef5972e3792e9a2ba88fdca98b4312fb318d8 (HTML pages uploaded to VT).
On the technical side, the campaigns were a coordinated phishing→execution→credential theft chain. Operators provisioned VDS instances, installed Plesk and RoundCube, then used SSH/RDP access (observed source IPs) to create webmail accounts and send malspam at scale. Emails contained ISO/.img attachments (e.g., PDF.IMG) which unpacked a Cassandra‑protected .NET Agent Tesla binary when executed; Cassandra added obfuscation/anti‑emulation, could sign the binary, configure injection (PE hollowing or .NET reflection), copy payloads to AppData, set hidden/system attributes and ACLs, and create Scheduled Tasks for persistence.
Cassandra Protector and the operators applied multiple AV‑evasion and persistence measures: converting protected .NET samples into ISO/.img to bypass file‑type filters, adding Defender exclusions via PowerShell (Add‑MpPreference –ExclusionPath), and using process injection to run malicious payloads stealthily. Post‑execution, Agent Tesla harvested keystrokes and browser/email credentials and communicated with a persistent C2 (same C&C across campaigns) to exfiltrate data and receive instructions; the actors reused infrastructure and C2 domains, enabling researchers to link campaigns and attribute activity to actors “Bignosa” and “Gods.”
Read more: https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/