Spammers employ Agent Tesla stealer

Kaspersky has uncovered an unusual spam email campaign that targeted businesses worldwide. Mimicking emails from vendors or counterparty companies, the attackers tried to steal the login data from the affected organisations by applying notorious Agent Tesla stealer. These credentials might be offered for sale on dark web forums or used in targeted attacks against these organisations.

Today, cybercriminals are investing efforts into mass spam campaigns – and the recent investigation conducted by Kaspersky provides clear proof of this. The uncovered spam email campaign, aimed at various organisations, contained high-quality imitations of business inquiries by real companies, only given away by the inappropriate sender addresses. Moreover, as a payload the attackers used the Agent Tesla stealer – a well-known Trojan Spy malware, designed to steal authentication data, screenshots, and data captured from web cameras and keyboards. The malware was distributed as a self-extracting archive attached to the weaponised email.

In one email example, someone posing as a Malaysian prospect uses an odd variety of English to ask the recipient to review some customer requirements and get back with the requested documents. The general format complies with the corporate correspondence standards: there is a logo that belongs to a real company and a signature that features sender details. Overall, the request looks legitimate, while the linguistic errors can be easily attributed to the sender who is a non-native speaker.

The only suspicious thing about the email is the sender’s address, newsletter@trade***.com, is labeled as a “newsletter”, typically used for news, not procurement. Besides, the sender’s domain name is different from the company name in the logo.

In another email, a purported Bulgarian customer makes an enquiry about the availability of some products and offers to discuss the details of a deal. The requested product list is said to be in the attachment, as in the previous specimen. The sender’s address, similarly, suspicious, belongs to a Greek, not Bulgarian, domain, which apparently has no relation to the company whose name is used by the spammers.

The messages originated within a limited range of IP addresses and the attached archives contained the same malware, Agent Tesla – that makes the researchers think that all these messages were part of one targeted campaign.

“Agent Tesla is a highly popular stealer used to fetch passwords and other credentials from affected organizations. It’s been known since 2014, and deployed by spammers widely in mass attacks. However, in this campaign cybercriminals took on techniques that are typical of targeted attacks – the sent emails were tailored especially for the company of interest and are barely different from legitimate ones”, adds Roman Dedenok, security expert at Kaspersky.

Kaspersky products detect Agent Tesla stealer as Trojan-PSW.MSIL.Agensla.

To protect yourself from spam email campaigns, Kaspersky recommends the following:

  • Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails
  • Use a protection solution for endpoints and mail servers with anti-phishing capabilities, such as Kaspersky Endpoint Security for Business, to decrease the chance of infection through a phishing email.
  • If using Microsoft 365 cloud service, don’t forget to protect it too. Kaspersky Security for Microsoft Office 365 has a dedicated anti-spam and anti-phishing as well as protection for SharePoint, Teams and OneDrive apps for secure business communications.