New Agent Tesla Campaign Targeting Spanish-Speaking People | Fortinet Blog

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The phishing email delivered via a disguised Excel attachment: ‘The phishing email looks like a standard SWIFT transfer notification from a large financial institution with a disguised Excel attachment.’
• [T1203] Exploitation for Client Execution – CVE-2017-0199 in the Excel document is used to execute code: ‘The Excel document is in OLE format with crafted embedded data that exploits the CVE-2017-0199 vulnerability.’
• [T1203] Exploitation for Client Execution – CVE-2017-11882 is exploited via Office documents to execute code: ‘CVE-2017-11882 is an RCE vulnerability in Microsoft Office’s Equation Editor… can be exploited by Excel, Word, PowerPoint, and RTF documents…’
• [T1059.001] PowerShell – JavaScript/PowerShell loader code is used after shellcode execution: ‘PowerShell code’s purpose includes…’
• [T1055.012] Process Hollowing – The loader uses process hollowing to run Agent Tesla in AddInProcess32.exe: ‘process hollowing on the process that it copies the Agent Tesla executable into and executes it within the “AddInProcess32.exe” process.’
• [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks and environment detection: ‘It performs detections… Windows API CheckRemoteDebuggerPresent… checks for virtualization…’
• [T1027.001] Data Encoding: Base64 – JavaScript/PowerShell payloads are base64-encoded and decoded: ‘base64-encoded PowerShell code.’
• [T1555.003] Credentials in Web Browser – Exfiltrates saved credentials from Chromium/Mozilla browsers and other apps: ‘It steals saved credentials from some web browsers…’
• [T1041.003] Exfiltration Over FTP – Submits stolen data to an FTP server via STOR: ‘submits the stolen data it has harvested from the victim’s device to an FTP server using the “STOR” method.’
• [T1060] Registry Run Keys/Startup Folder – Persistence mechanism described (though disabled in this variant): ‘adding itself to the auto-run group in the system’s registry.’
• [T1106] Native API – Process creation with CreateProcessA for suspended process: ‘CreateProcessA() with the creation flags of 0x80000004 (CREATE_SUSPENDED).’
• [T1059.005] Windows Script Host – JavaScript execution via WScript.exe: ‘the Windows program WScript.exe is called to execute the JS file.’