Australian Businesses Targeted by Information-Stealing Malware
Over 11,000 Australian companies were recently targeted in a cyberattack campaign wielding a well-established but nonetheless dangerous malware strain called Agent Tesla.
What is Agent Tesla?
Agent Tesla is a Remote Access Trojan (RAT) that first emerged in 2014. It's a popular choice among cybercriminals due to its reliability and diverse functionalities for stealing data. The malware can steal information from various commonly used software, including browsers and FTP clients. Recent updates have made it even more versatile, offering tighter integration with platforms like Telegram and Discord for easier execution of hacking campaigns.
Anatomy of an Agent Tesla Phishing Attack
Security researchers at Check Point recently published a detailed analysis of the methodology employed in this Agent Tesla phishing campaign. The attack, launched in November 2023, targeted businesses primarily in Australia and the United States.
Here's how the attack unfolded:
- Preparation: The attackers, dubbed "Bignosa," set up a server with Plesk (hosting) and Round Cube (email client). They then used a tool called Cassandra Protector to disguise the Agent Tesla payload, hiding the malicious code and controlling its delivery. This tool offered functionalities like sleep time configuration and fake dialogue box text manipulation.
- Weaponization: Bignosa converted the malicious .NET code into an ISO file disguised with a ".img" extension. This file was then attached to spam emails.
- Attack Launch: Bignosa used a remote access protocol to connect to the server, created an email address, and launched the spam campaign using a pre-compiled target list. The initial wave saw "a few successful infections" in Australia.
Targeting Australian Businesses
The presence of a file named "AU B2B Lead.txt" on the attacker's machine suggests a deliberate targeting of Australian businesses. Experts believe the attackers aimed to infiltrate corporate networks and steal valuable information for financial gain.
Collaboration and Challenges
The researchers discovered evidence of Bignosa collaborating with another cybercriminal named "Gods." Gods offered advice on crafting malicious email content. However, the attackers also faced challenges. Bignosa struggled to clean test infections from their own machine, requiring remote assistance from Gods. Check Point believes Bignosa might be Kenyan and Gods a Nigerian web developer.
How to Block Agent Tesla Infections
This campaign highlights the ongoing threat posed by Agent Tesla. Here's how to protect your business:
Maintain Updates: Ensure operating systems and applications are updated with the latest security patches.
Utilize Security Tools: Implement commercial spam filtering and blocklist tools to minimize suspicious emails reaching inboxes.
Employee Training: Regularly train employees to be cautious of unexpected emails, especially those with attachments from unknown senders.
By following these steps, businesses can significantly increase their defenses against Agent Tesla and similar cyber threats.
