{"id":6223,"date":"2021-04-13T12:10:48","date_gmt":"2021-04-13T19:10:48","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6223"},"modified":"2024-04-26T13:20:46","modified_gmt":"2024-04-26T20:20:46","slug":"agent-tesla-malspam-campaign-spoofs-bank-correspondence","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/agent-tesla-malspam-campaign-spoofs-bank-correspondence\/","title":{"rendered":"Agent Tesla Malspam Campaign Spoofs Bank Correspondence"},"content":{"rendered":"

Author: Nick Sundvall<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

From 1 to 6 April, we observed a malspam campaign distributing a TAR file containing Agent Tesla, a remote access trojan (RAT) designed to steal information from a victim. The campaign\u2019s email subjects attempted to gain the victims trust by impersonating the British bank Standard Chartered. Some of the emails claimed to offer advice from the bank, as well as notified the recipient of a payment.<\/p>\n

Customer Impact<\/h3>\n

Discovered in 2014,1<\/sup> the Agent Tesla RAT has a variety of malicious capabilities such as stealing credentials from browsers, VPNs, FTP and email clients. It can also record the user\u2019s screen and log keystrokes. The threat actor can then use these stolen credentials and keystrokes to log into, and potentially take over, the user\u2019s accounts to access more of their data.<\/p>\n

Agent Tesla is distributed as \u201cmalware-as-a-service,\u201d reportedly for as little as $12 USD online. This buys a one-month license, an online portal to set up the configuration of the malware, and 24\/7 support.2<\/sup><\/p>\n

Campaign Analysis<\/h3>\n

The threat actor behind this campaign used email subjects mimicking correspondence from Standard Chartered, a legitimate British bank. One of the email subject lines was SUBJECT:Advice from Standard Chartered Bank<\/em> and Confirming – Notice of payment,<\/em> with a sender\u2019s name of Standard Chartered Bank<\/em>. The sender\u2019s address (AdvicesMY@sc[.]com<\/em>) also imitates the real Standard Chartered Bank\u2019s website (sc[.]com<\/em>).<\/p>\n

All of the emails had a TAR file attachment containing an executable (EXE). TAR files are a kind of archive file, similar to a ZIP or RAR. The EXE was the malicious payload containing Agent Tesla. The file names, such as Payment Advice.img.tar,<\/em> all include .img.tar<\/em> as the extension in an attempt to disguise themselves as an image (IMG) file. The bodies of the emails are all empty.<\/p>\n

Attack Chain<\/h3>\n

Upon opening the attached TAR file, the victim is able to extract the malicious EXE – MY08466Q000951.exe<\/em>– from the archive. Running the EXE initiates the Agent Tesla RAT. From here, the malware begins stealing the victim\u2019s credentials.<\/p>\n

Once Agent Tesla has gathered the information, it exfiltrates it over SMTP and then sends the data to the email address vijay.yadav@mivante[.]com<\/em>.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Infoblox recommends the following to reduce the risk of this type of infection: <\/p>\n