{"id":6312,"date":"2021-05-12T10:09:22","date_gmt":"2021-05-12T17:09:22","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6312"},"modified":"2024-04-26T13:20:42","modified_gmt":"2024-04-26T20:20:42","slug":"malspam-delivering-agent-tesla-keylogger-spoofs-oil-gas-co-messages","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-delivering-agent-tesla-keylogger-spoofs-oil-gas-co-messages\/","title":{"rendered":"Malspam Delivering Agent Tesla Keylogger Spoofs Oil & Gas Co. Messages"},"content":{"rendered":"

Author: Shashank Jain<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

Between 3 and 5 April, Infoblox observed a malicious spam campaign distributing weaponized Microsoft Excel spreadsheets (XLS) containing malicious macros intended to infect victims\u2019 machines with the Agent Tesla keylogger. The threat actor(s) used a spoofed email sender address to gain the victim’s trust by impersonating Petroham Oil & Gas, a legitimate chemical and petrochemical company based in Abu Dhabi.<\/p>\n

Customer Impact<\/h3>\n

Agent Tesla malware is known for its keylogging and credential stealing capabilities, as well as its distribution method as a form of \u201cmalware-as-a-service.\u201d<\/p>\n

Infoblox has previously reported on Agent Tesla campaigns in Dec 20201<\/sup> and April 2021.2<\/sup> Both used the same initial attack vector (malspam) and delivery technique (weaponized XLS files containing malicious macros) as this recent campaign.<\/p>\n

Campaign Analysis<\/h3>\n

In this campaign, the threat actor(s) used the sender email address sales@oryx-ad[.]ae<\/em> to impersonate the Abu Dhabi-based oil and gas company with the subject line Labour Day holiday RFQ 191938<\/em>. The email bodies are empty but the messages carry an attachment with the filename RFQ 191938.xls,<\/em> as referenced by the subject line. All of the XLS files contained malicious macros.<\/p>\n

Attack Chain<\/h3>\n

When the user opens the attachment, they will see the error message \u201cWord experienced an error while trying to open the file.\u201d In the background, cmd.exe (windows legitimate utility) begins to run and executes a PowerShell script via Windows Management Instrumentation (WMI).<\/p>\n

The malicious program then creates a scheduled task to achieve persistence and uses the Windows native application aspnet_compiler to compile and connect to the command and control (C&C) server to download the Agent Tesla payload.3<\/sup> After successful execution of the payload, it starts capturing the victim\u2019s login credentials that have been stored in browsers and registries, while also capturing screenshots using its keylogger abilities.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Malspam attachments containing malicious macros are the primary infection vectors for Agent Tesla. Infoblox recommends the following actions to reduce the risk of this type of infection:<\/p>\n