Keypoints
- Attackers used spearphishing with malicious email attachments to gain initial access to U.S. education and government targets.
- Exploitation of multiple Office and Windows CVEs (e.g., CVE-2018-0802, CVE-2017-0199) enabled remote code execution and payload delivery.
- Taskun acted as a facilitator/dropper that established persistence and helped evade detection before deploying Agent Tesla.
- Agent Tesla performed credential harvesting, keylogging, screenshot capture, and C2-based exfiltration of stolen data.
- Defensive recommendations include targeted patching, automated rule deployment across SNORT/YARA, endpoint hardening (disable WDigest, tighten NTLM), and GPO blocks (e.g., Equation Editor).
- Several file hashes tied to Agent Tesla and Taskun were published as IoCs and should be propagated across security layers.
- Proactive controls and continuous IoC/IoA distribution are emphasized to disrupt C2 and exfiltration channels.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Initial access via malicious email attachments (‘The attack vector utilized in this campaign was primarily through malicious email attachments.’)
- [T1203] Exploitation for Client Execution – Exploited Office/Windows CVEs to achieve remote code execution and run payloads (‘exploit a series of vulnerabilities across a range of common office and operating system software.’)
- [T1547.001] Registry Run Keys / Startup Folder (Boot or Logon Autostart Execution) – Taskun maintained persistence on compromised hosts (‘Taskun’s role is crucial in maintaining persistence and evading detection, allowing for a deeper entrenchment of the primary payload.’)
- [T1056.001] Input Capture: Keylogging – Agent Tesla captured keystrokes to harvest credentials (‘It systematically captures a variety of sensitive data, which includes keystrokes…’)
- [T1113] Screen Capture – Use of screenshot capture to collect visual data from victims (‘…captures a variety of sensitive data, which includes…screenshots…’)
- [T1003] Credential Dumping – Campaign enabled credential harvesting and referenced tools like Mimikatz as threats to be mitigated (‘Direct integration of protective measures into the operating system effectively neutralizes threats from tools like Mimikatz before they can compromise credentials.’)
- [T1071.001] Application Layer Protocol: Web Protocols – Agent Tesla and Taskun used C2 communications for exfiltration and control (‘To effectively disrupt the communication channels used by Agent Tesla and Taskun…’)
- [T1562.001] Impair Defenses: Disable or Modify Tools – Adversaries evaded detection and used techniques to persist and avoid security controls (‘Taskun’s role…evading detection…’)
Indicators of Compromise
- [File Hashes] Agent Tesla samples – 1991450173740bcf6b16c3215619f853, 4f38ee61eff03a89b68ba9f5d58a780e, and 7 more hashes
- [File Hashes] Taskun samples – 52728ce7df73b61540a0ecdb8fb61fe7, c73a4f19784e3b30092e169822e617ba, and 1 more hash
- [CVE] Vulnerabilities targeted – CVE-2018-0802, CVE-2017-0199, CVE-2017-8570, and other Office/Windows CVEs listed in the campaign
Rewrite of the article — technical procedure focus:
The attackers delivered Taskun via crafted email attachments that exploited multiple Office and Windows vulnerabilities (including CVE-2018-0802, CVE-2017-0199, CVE-2017-8570, CVE-2018-0798 and legacy issues) to execute code on target systems. Once executed, Taskun established persistence and footholds on hosts, disabled or avoided detection mechanisms, and staged the deployment of Agent Tesla, which acted as the primary data-stealing payload.
Agent Tesla collected keystrokes, screenshots, and stored credentials, then communicated with remote command-and-control servers over application-layer protocols to exfiltrate harvested data. The combined chain relied on targeted reconnaissance to select vulnerable software and on maintaining long-lived access via autostart/persistence mechanisms and defense-evasion techniques to maximize data capture before detection.
Mitigation steps focus on closing the exploited attack surface and augmenting detection: apply available patches for the listed CVEs, propagate and enforce IoCs across network and endpoint protections, deploy automated detection rules (SNORT, YARA) tuned to the campaign signatures, harden endpoints by disabling legacy authentication mechanisms (e.g., WDigest), tighten NTLM/credential policies, and use GPOs to remove known abused components such as the Equation Editor. Distributing the published hashes and continuously updating IoAs across security layers is critical to disrupting C2 and exfiltration pathways.