Mass malicious mailing campaigns are moving toward targeted-style operations, impersonating real companies and delivering malicious attachments. The payload is Agent Tesla, a credential-stealing malware that can exfiltrate data through various channels and perform keystroke logging, clipboard interception, and screenshots. #AgentTesla #TrojanPSW.MSIL.Agensla #EssentialApparatus #KeeProjects #NuozhongSteel
Keypoints
- Campaigns have evolved from generic spam to targeted-style emails that mimic real companies and use authentic signatures.
- Emails often include attachments claiming to contain customer requirements or product lists, with the attachment being the malware payload.
- Several exemplar messages show impostor orders from different nationalities (Malaysian, Bulgarian) to appear legitimate, including logos and signatures.
- The campaign spreads Agent Tesla malware, a long-known stealer capable of collecting credentials from many apps and forwarding them to operators.
- Agent Tesla supports data exfiltration via multiple channels (email, Telegram, FTP, and a website) and can perform credential theft across browsers, email clients, FTP clients, databases, and more.
- Campaign activity was substantial in 2022, with hundreds of thousands of messages detected monthly and notable peaks in June.
- Affected regions include Europe, Asia, and Latin America, with Mexico, Spain, and Germany among the top impacted countries.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Emails carrying malicious archives as attachments to deliver the payload. Quote: “The requested products list is said to be in the attachment, as in the previous specimen.”
- [T1113] Screen Capture – Agent Tesla can make screenshots as part of its data theft capabilities. Quote: “Agenta Tesla is also capable of making screenshots, intercepting clipboard contents and logging keystrokes.”
- [T1115] Clipboard Data – Intercepting clipboard contents as part of data collection. Quote: “intercepting clipboard contents and logging keystrokes.”
- [T1056.001] Keylogging – Logging keystrokes to capture credentials and other sensitive inputs. Quote: “logging keystrokes.”
- [T1003] Credential Dumping – Ripping passwords from browsers and other applications. Quote: “fetch passwords stored in browsers and other applications, and forward these to the operator.”
- [T1041] Exfiltration Over C2 Channel – Forwarding stolen data via email, Telegram, FTP, or a website; operational exfiltration channels used by Agent Tesla. Quote: “the payload… forward these to the operator. While Agent Tesla most frequently forwards data via email, there are versions that drop the stolen data into a Telegram secret chat, on a website operated by the attackers or on an FTP server.”
Indicators of Compromise
- [MD5] MD5 hashes of attached archives – ddc607bb993b94c543c63808bebf682a, 862adb87b0b894d450f8914a353e3e9c, a1ae8b0d794af648908e0345204ea192, 9d0364e1f625edb286b0d5541bb15357, eee70de3ac0dc902b99ed33408e646c9
- [MD5] MD5 hashes of the executables and details of attackers’ email accounts used for sending and receiving data stolen by the sample – 64011a7871abb873c822b8b99082e8ab, b012cb8cfee0062632817d12d43f98b4
- [Email address] Mail from: [email protected], Mail from: [email protected], and Mail to: [email protected]
- [Domain] essentialapparatus.co.ke, keeprojects.in
- [Mail server] mail.essentialapparatus.co.ke:587, mail.keeprojects.in:587
Read more: https://securelist.com/agent-tesla-malicious-spam-campaign/107478/