As Kaspersky has noted, there is a recent campaign by cybercriminals using malware stealer Agent Tesla for espionage. The malware is distributed via well-crafted spam emails. Almost 15.000 users in Germany are already affected.
Kaspersky experts have discovered a spam email campaign targeting companies worldwide using the notorious stealer Agent Tesla. For the spam campaign, the cyber criminals imitated e-mails from providers or contractors in detail in order to obtain the login data of the organizations concerned - the cyber criminals only revealed the wrong sender address. These credentials are offered for sale on Darkweb forums or used in targeted attacks against these organizations.
Germany 3rd place for attacked users
According to Kaspersky telemetry, from May to August 2022, malware activity was highest in Europe, Asia, and Latin America. Most of the attacked users came from Mexico with 20.941 users, followed by Spain with 18.090 and Germany with 14.880.
Cyber criminals nowadays invest many resources in bulk spam campaigns. The spam email campaign detected by Kaspersky, targeting various organizations worldwide, mimicked business requests from real companies at a high level, which could only be identified by false sender addresses. The attackers used these spam emails to spread the stealer Agent Tesla. It is a well-known Trojan spy malware that can steal authentication credentials, screenshots and data captured from web cameras and keyboards. The malware was distributed via the spam emails as a self-extracting archive.
Only the sender address reveals the cybercriminals
In one discovered case, an attacker posing as a Malaysian prospect used a strange variant of English to ask the recipient to review some customer requirements and get in touch with the requested documents.
The general format followed corporate correspondence standards: a logo belonging to a real company and a signature with the sender's details. Overall, the request looked legitimate, while the language errors could easily be attributed to the non-native sender. Only the sender address newsletter@trade***.com, which was marked as "Newsletter" and is normally used for news and not for procurement, was an indication that it was not a legitimate mail. Furthermore, the domain name of the sender differed from the company name in the logo.
Classic spam with attachment
In another email, an alleged Bulgarian customer wanted to find out about the availability of some products and discuss further details. The desired product list should be in the attachment as in the previous sample. The similarly suspicious sender address belonged to a Greek, non-Bulgarian domain that appeared unrelated to the company and whose name was misused by the spammers.
"Agent Tesla is a very popular stealer that can steal passwords and other credentials from affected organizations," said Roman Dedenok, security researcher at Kaspersky. “The malware has been known since 2014 and is often used by spammers for mass attacks. In the current campaign, however, the cybercriminals are using techniques that are typical for targeted attacks. The e-mails sent were tailored specifically to the targeted company – they can hardly be distinguished from legitimate e-mails.” Kaspersky products recognize the stealer agent Tesla under the name “Trojan-PSW.MSIL.Agensla”.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/