AGENT TESLA Malware Steals login Credentials From Chrome & Firefox


Researchers investigated a recent Agent Tesla malware campaign targeting US and Australian organizations, which used phishing emails with fake purchase orders to trick victims into clicking malicious links. 

Upon clicking, an obfuscated Agent Tesla sample protected by Cassandra Protector was downloaded and executed, stealing keystrokes and login credentials. 

The investigation identified two cybercriminals, Bignosa (the main threat) and Gods, who used a large email database and multiple servers for RDP connections and malware campaigns. 

The malware campaign involved a multi-step preparation phase before distributing malicious spam. 

The activity of the “Bignosa” threat actor shown on the timeline
The activity of the “Bignosa” threat actor shown on the timeline

Document

Stop Advanced Phishing Attack With AI

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .

Campaign of the Malware:

Threat actor “Bignosa” launched two malware campaigns targeting Australian and US organizations by using phishing emails with a disguised Agent Tesla attachment (PDF.IMG) protected by Cassandra Protector. 

Malware campaign targeting AU 7th of November
Malware campaign targeting AU 7th of November

“Bignosa” compromised servers by installing Plesk and RoundCube, connecting via SSH and RDP. The first campaign on November 7th originated from a server (172.81.60.206) with a Kenyan SSH connection (41.90.185.44). 

Attack scheme for these two campaigns
Attack scheme for these two campaigns

The second campaign on November 29th and 30th used a different server (192.236.236.35) with a Bulgarian RDP connection (91.215.152.7) as both campaigns sent emails from newly created webmail accounts and the attack methods were identical, except for the server addresses. 

Malspam text and attachment
Malspam text and attachment

Bignosa, a malicious actor, used Cassandra Protector, a tool that obfuscates code and creates executables disguised as ISOs, to deliver malware via spam emails. 

Cassandra Protector offers functionalities like persistence, anti-virus evasion, and customizability used by Bignosa to make the malware bypass security measures and remain undetected on the target machine.  

“Bignosa” account details for Cassandra Protector
“Bignosa” account details for Cassandra Protector

According to Check Point report, Bignosa used Agent Tesla and performed phishing attacks, while Gods mentored Bignosa and also conducted phishing attacks in the past. 

“Gods” and “Kmarshal” in one Jabber account
“Gods” and “Kmarshal” in one Jabber account

They communicated via Jabber and TeamViewer, whereas Bignosa used RDP to connect to a VDS server and distribute Agent Tesla. 

ChatGPT used to translate spam messages to Turkish
ChatGPT used to translate spam messages into Turkish

Gods used a YouTube channel called “8 Letter Tech,” which is linked to the email address unlimi[email protected] , which was also used by the Gods Threat actor.

Threat actors had been linked to “Bignosa” and “Gods” through a VDS account and shared an IP address in which “Bignosa” has used the VDS for phishing attacks since March 2023, while “Gods” used the same IP for a DynuDNS service linked to his email. 

 Email used by “Gods” in the video by Kingsley F
 Email used by “Gods” in the video by Kingsley F

Social media analysis revealed “Tamegurus” connected to legitimate web design and “Gods” through Turkish university ties. “8 Letter Studio” on social media further connected “Tamegurus” and “Gods,” with the latter’s real name discovered as Kingsley Fredrick. 

A recent phishing campaign by “Gods” was identified under the alias “GODINHO” in December 2023–January 2024, highlighting how cybercriminals may combine legitimate work with illegal activities. 

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-second Assessment.



Source link