• Home
  • /
  • Malware
  • /
  • Agent Tesla stealer targets users worldwide

Agent Tesla stealer targets users worldwide

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 25 Oct 2022

An unusual spam e-mail campaign targeting businesses worldwide has been discovered by Kaspersky.

Imitating e-mails from vendors or counter-party entities, bad actors attempt to steal login data from the affected organisations by using the infamous Trojan spyware dubbed Agent Tesla. 

The malware is distributed as a self-extracting archive attached to the weaponised e-mail.

The stolen credentials could then be sold on dark Web forums or used in targeted attacks against these entities.

These days, attackers are investing heavily in mass spam campaigns, notes Kaspersky. This particular campaign contains high-quality imitations of business inquiries by real companies and only gives itself away by using illegitimate sender addresses.

As a payload, the malefactors behind this Trojan can use it to steal authentication data, screenshots, and data captured from Web cameras and keyboards.

Linguistic errors

The general format complies with the corporate correspondence standards. For example, there is a logo that belongs to a real company and a signature that features sender details. In general, the request appears legitimate and the linguistic errors can be attributed to the sender being a non-native speaker. In one e-mail example, someone posing as a Malaysian prospect uses bad English to ask the recipient to review customer requirements and get back with the requested documents.

The only suspicious thing about the e-mail is the sender’s address, and the sender’s domain name differs from the company name in the logo.

All messages originated within a limited range of IP addresses and the attached archives contained Agent Tesla, leading researchers to believe that all these messages were part of one targeted campaign.

Roman Dedenok, a security expert at Kaspersky, says Agent Tesla is very popular and is used to fetch passwords and other credentials from affected organisations.

“It’s been known since 2014 and deployed by spammers widely in mass attacks. However, in this campaign cyber criminals took on techniques that are typical of targeted attacks – the sent e-mails were tailored especially for the company of interest and are barely different from legitimate ones.”