More than 11,000 Australian businesses have been targeted in a recent wave of cyberattacks that rely on an outdated but still dangerous strain of malware dubbed Agent Tesla.
Potential victims were bombarded with booby-trapped baited emails regarding the purchase of goods and requests for order delivery, accompanied by a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.
Agent Tesla is a Remote Access Trojan (RAT) that first emerged in 2014. According to researchers at Check Point Software, the malware is widely distributed and frequently used by a variety of threat actors, including cyber criminals and spies.
Alexander Chailytko, head of cybersecurity, research and innovation at Check Point, says threat actors have “developed a level of trust” in Agent Tesla’s capabilities.
“Its reliability, combined with its wide range of capabilities for data exfiltration and information theft, make it the preferred choice for cybercriminals,” explains Chailytko.
The malware offers a range of data exfiltration methods and theft capabilities that target the most commonly used software, from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms like Telegram and Discord, making it easier for criminals to run hacking campaigns.
Agent Tesla made headlines last year when cybercriminals exploited a 6 year old Microsoft Office Remote execution flaw to sling Agent Tesla.
Anatomy of an Agent Tesla hack
An analysis by Check Point security researchers published on a blog post this week offered one of the most detailed inspections to date into the methodology of a Tesla Agent-based phishing campaign. Their work offers a post-mortem analysis of a series of high-volume attacks launched in November 2023 against predominantly Australian and American targets.
Check Point said a hacker nicknamed “Bignosa” first installed Plesk (for hosting) and Round Cube (email client) on a hosted server. The attackers then cloaked the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.
Cassandra Protector bundles a variety of options that allow cyber criminals to configure the sleep time before execution. Among other functions, it checks the text in the fake dialog box that appears when victims open a malicious file.
Once “protected” from Agent Tesla in this way, Bignosa converted the malicious .NET code into an ISO file with the “.img” extension before attaching the resulting file to spam emails.
Next, Bignosa connected to the newly configured machine via a dial-up network protocol connection, created an email address, logged in to webmail, and began running spam using a list of pre-defined destinations. -prepared. According to Check Point, “a few successful infections” have hit Australia in a first wave of attacks.
Down below
The threat actors behind the Agent Tesla malware campaign primarily targeted Australian businesses, as demonstrated by the presence of a mailing list file named “AU B2B Lead.txt” on their computers.
“This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the aim of extracting valuable information for financial exploitation,” says Check Point’s Chailytko.
Researchers found that Bignosa also worked with another, more skilled cybercriminal, who immodestly calls himself “Gods,” in a campaign to hack Australian and US companies.
According to Jabber chat logs discovered by security researchers, the gods offered Bignosa advice on the contents of malicious spam messages.
As with other cyber criminalsAccording to evidence uncovered by Check Point, the two struggled with elements of their cybercrime campaign.
In multiple cases, Bignosa failed to clean his machine of Agent Tesla test infections, so the unfortunate hacker had to resort to remote access from the Gods for assistance.
Check Point said it believes Bignosa is Kenyan and Gods is a Nigerian with a day job as a web developer.
How to block Agent Tesla infections
The Agent Tesla spear-phishing campaign highlighted by Check Point highlights the still prevalent threat posed by mature malware.
Companies should keep operating systems and applications updated by promptly installing patches and using other security measures. According to Check Point, commercial spam filtering and blocklisting tools can help minimize the volume of junk traffic appearing in users’ inboxes.
Nonetheless, end users should exercise caution when encountering unexpected emails containing links, especially from unknown senders. According to Check Point, this is where regular employee training and education programs can strengthen cybersecurity awareness.