{"id":7536,"date":"2022-03-04T11:15:54","date_gmt":"2022-03-04T19:15:54","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7536"},"modified":"2024-04-26T13:20:08","modified_gmt":"2024-04-26T20:20:08","slug":"ukraine-themed-malspam-drops-agent-tesla","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/","title":{"rendered":"Ukraine-Themed Malspam Drops Agent Tesla"},"content":{"rendered":"<h3><strong>Author: Christopher Kim<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>1. Overview<\/h3>\n<p>On 1 March, Infoblox observed a malspam campaign that was using messages related to Russia\u2019s invasion of Ukraine. The malspam campaign was trying to lure users into downloading a ZIP file attachment whose contents could download the Agent Tesla keylogger.<br \/>\nThis campaign occurred a week after Russia invaded Ukraine. It is one of multiple campaigns that have taken advantage of the conflict by luring users via socially engineered emails and websites with lookalike domains that serve fake donation content.<sup>1<\/sup><\/p>\n<h3>2. Customer impact<\/h3>\n<p>Agent Tesla is a malware-as-a-service (MaaS) remote access trojan (RAT) that security researchers first discovered in 2014. It is usually distributed via spam or phishing emails, and it has many capabilities for stealing information from a victim\u2019s machine, including the following:<\/p>\n<ul>\n<li>logging keystrokes<\/li>\n<li>extracting data from the host\u2019s clipboard<\/li>\n<li>capturing screens<\/li>\n<li>grabbing forms<\/li>\n<li>stealing credentials from VPN software<\/li>\n<\/ul>\n<p>After gathering sensitive information from a victim\u2019s machine, Agent Tesla exfiltrates the stolen information by using a web browser or an email client.<\/p>\n<h3>3. Campaign analysis<\/h3>\n<p>In this campaign, the threat actor(s) crafted messages using the email address supawadee.so@univance[.]co[.]th to impersonate UNIVANCE (Thailand) Co., Ltd: a manufacturer of automobile parts. The subject line is REQ : Supplier Survey : Effect of supply chain from the Ukraine\/Russa conflict, and the body section is empty. The ZIP file attachment is named REQ Supplier Survey.zip and contains an embedded Microsoft Windows executable.<\/p>\n<h3>4. Attack chain<\/h3>\n<p>When a user extracts the ZIP file attachment, the embedded Windows executable is launched and writes itself to C:\\Users\\User\\AppData\\Roaming\\Fgefvp\\Gzgrfb.exe. A Run registry key is also created, and will enable Gzgrfb.exe to run every time the user signs in to the machine. Next, the malware downloads the Agent Tesla binary from Discord\u2019s content delivery network (CDN) servers and injects the malicious code into the legitimate Windows process MSBuild.exe via process hollowing: a common technique for evading detection by antivirus software.<sup>2<\/sup><br \/>\nNext, Agent Tesla steals account credentials and other sensitive information from the compromised system. It sends the stolen data to the actor\u2019s email account officestore2022@gmail[.]com via SMTP, by using the compromised email account julieta@escueladeseguridadmaritima[.]com and the email server mail[.]escueladeseguridadmaritima[.]com.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7543\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/infoblox-blog-ukraine-themed-malspam-drops-agent-tesla.jpg\" alt=\"\" width=\"540\" height=\"782\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-blog-ukraine-themed-malspam-drops-agent-tesla.jpg 540w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-blog-ukraine-themed-malspam-drops-agent-tesla-207x300.jpg 207w\" sizes=\"auto, (max-width: 540px) 100vw, 540px\" \/><\/p>\n<h3>5. Vulnerabilities and mitigation<\/h3>\n<p>Agent Tesla is a dangerous RAT that can have severe and negative impact on its victims. Infoblox strongly recommends that businesses consider the following security measures:<\/p>\n<ul>\n<li>Be wary of opening emails from unfamiliar senders, and inspect unexpected attachments before opening them.<\/li>\n<li>Agent Tesla can also communicate with its C&amp;C using a Tor client. Forbid the use of the Tor network if it is not crucial to business operations.<\/li>\n<li>Identify and flag API requests to messaging and CDN services, such as Discord. Such requests are indicative of unusual user behavior.<\/li>\n<li>Do not allow web browsers to save credentials or other sensitive information.<\/li>\n<\/ul>\n<p><strong>Endnotes<\/strong><\/p>\n<ol>\n<li><strong><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory\/cyber-threat-advisory-ukrainian-support-fraud\/\" rel=\"noopener\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory\/cyber-threat-advisory-ukrainian-support-fraud\/<\/a><\/strong><\/li>\n<li><strong><a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/012\/\" target=\"_blank\" rel=\"noopener\">https:\/\/attack.mitre.org\/techniques\/T1055\/012\/<\/a><\/strong><\/li>\n<\/ol>\n<h3>Appendix <span>(downloadable list <a href=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/ukraine-themed-malspam-drops-agent-tesla.csv\">here<\/a>)<\/span><\/h3>\n<table width=\"665\">\n<tbody>\n<tr>\n<td width=\"543\"><strong>Representative Indicators of Compromise\tDescription<\/strong><\/td>\n<td width=\"122\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"543\">supawadee.so@univance[.]co[.]th<\/td>\n<td width=\"122\">From email address<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">REQ : Supplier Survey : Effect of supply chain from the Ukraine\/Russa conflict<\/td>\n<td width=\"122\">Email subject<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">REQ Supplier Survey.zip<\/td>\n<td width=\"122\">ZIP attachment file name<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">REQ Supplier Survey.exe<\/td>\n<td width=\"122\">Executable file name<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">0ea1d24ade8602c0829bd73735ddfcdd6d6dfa12c6370e7cee0c04653a352839<\/td>\n<td width=\"122\">ZIP file sha256<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">e4d309967904ca32fa5a00e70161c95621c687e46f2512bac1f061b0303fe863<\/td>\n<td width=\"122\">Executable file sha256<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">hXXps:\/\/cdn[.]discordapp[.]com\/attachments\/946667303825735721\/948011944776986715\/Izcei[.]jpg<\/td>\n<td width=\"122\">Agent Tesla download URL<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">officestore2022@gmail[.]com<\/td>\n<td width=\"122\">Actor\u2019s email address<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">julieta@escueladeseguridadmaritima[.]com<\/td>\n<td width=\"122\">Email address used for exfiltration<\/td>\n<\/tr>\n<tr>\n<td width=\"543\">mail[.]escueladeseguridadmaritima[.]com<\/td>\n<td width=\"122\">Email server used for exfiltration<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Author: Christopher Kim &nbsp; 1. Overview On 1 March, Infoblox observed a malspam campaign that was using messages related to Russia\u2019s invasion of Ukraine. The malspam campaign was trying to lure users into downloading a ZIP file attachment whose contents could download the Agent Tesla keylogger. This campaign occurred a week after Russia invaded Ukraine. [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":7548,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[553],"tags":[479,657,488,294,40],"class_list":{"0":"post-7536","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-campaign-briefs","8":"tag-cyber-security","9":"tag-cyber-threat-intelligence","10":"tag-cyberthreat-intelligence-report","11":"tag-malspam","12":"tag-threat-intelligence","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Agent Tesla Malware Delivered Through Russia &amp; Ukraine Related Emails | Infoblox<\/title>\n<meta name=\"description\" content=\"The Agent Tesla malspam campaign has been observed using messages related to the conflict in Ukraine. Learn the indicators and mitigation techniques now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ukraine-Themed Malspam Drops Agent Tesla\" \/>\n<meta property=\"og:description\" content=\"The Agent Tesla malspam campaign has been observed using messages related to the conflict in Ukraine. Learn the indicators and mitigation techniques now.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-04T19:15:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/image-34.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"363\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Ukraine-Themed Malspam Drops Agent Tesla\",\"datePublished\":\"2022-03-04T19:15:54+00:00\",\"dateModified\":\"2024-04-26T20:20:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/\"},\"wordCount\":615,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/image-34.jpg\",\"keywords\":[\"Cyber security\",\"Cyber Threat Intelligence\",\"Cyberthreat intelligence report\",\"Malspam\",\"Threat Intelligence\"],\"articleSection\":[\"Cyber Campaign Briefs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/\",\"name\":\"Agent Tesla Malware Delivered Through Russia & Ukraine Related Emails | Infoblox\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/image-34.jpg\",\"datePublished\":\"2022-03-04T19:15:54+00:00\",\"dateModified\":\"2024-04-26T20:20:08+00:00\",\"description\":\"The Agent Tesla malspam campaign has been observed using messages related to the conflict in Ukraine. Learn the indicators and mitigation techniques now.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/image-34.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/image-34.jpg\",\"width\":612,\"height\":363,\"caption\":\"Virus detected alert. Camera moves around hud display and man typing keyboard. Cyber security breach warning with worm symbol on screen. System protection futuristic concept.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/ukraine-themed-malspam-drops-agent-tesla\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Campaign Briefs\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Ukraine-Themed Malspam Drops Agent Tesla\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Agent Tesla Malware Delivered Through Russia & Ukraine Related Emails | Infoblox","description":"The Agent Tesla malspam campaign has been observed using messages related to the conflict in Ukraine. Learn the indicators and mitigation techniques now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/","og_locale":"en_US","og_type":"article","og_title":"Ukraine-Themed Malspam Drops Agent Tesla","og_description":"The Agent Tesla malspam campaign has been observed using messages related to the conflict in Ukraine. Learn the indicators and mitigation techniques now.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/","og_site_name":"Infoblox Blog","article_published_time":"2022-03-04T19:15:54+00:00","article_modified_time":"2024-04-26T20:20:08+00:00","og_image":[{"width":612,"height":363,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/image-34.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Ukraine-Themed Malspam Drops Agent Tesla","datePublished":"2022-03-04T19:15:54+00:00","dateModified":"2024-04-26T20:20:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/"},"wordCount":615,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/image-34.jpg","keywords":["Cyber security","Cyber Threat Intelligence","Cyberthreat intelligence report","Malspam","Threat Intelligence"],"articleSection":["Cyber Campaign Briefs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/","name":"Agent Tesla Malware Delivered Through Russia & Ukraine Related Emails | Infoblox","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/image-34.jpg","datePublished":"2022-03-04T19:15:54+00:00","dateModified":"2024-04-26T20:20:08+00:00","description":"The Agent Tesla malspam campaign has been observed using messages related to the conflict in Ukraine. Learn the indicators and mitigation techniques now.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/image-34.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/image-34.jpg","width":612,"height":363,"caption":"Virus detected alert. Camera moves around hud display and man typing keyboard. Cyber security breach warning with worm symbol on screen. System protection futuristic concept."},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-themed-malspam-drops-agent-tesla\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Campaign Briefs","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-campaign-briefs\/"},{"@type":"ListItem","position":4,"name":"Ukraine-Themed Malspam Drops Agent Tesla"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=7536"}],"version-history":[{"count":7,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7536\/revisions"}],"predecessor-version":[{"id":7549,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7536\/revisions\/7549"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/7548"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=7536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=7536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=7536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}