Remote access tools, or RAT for short, continue to be a major threat. Malwarebytes has recently unmasked a Nigerian scammer group around Agent Tesla. Luckily there were no full-time professionals working with the group: they sent test emails and thus revealed their IP address.
The data thief "Agent Tesla" is a remote access tool (RAT) that has been active since 2014 and is now one of the most popular malicious files that can be observed in email spam campaigns. In its search for threats targeting Ukraine, Malwarebytes has identified a new group that has been heavily involved in phishing and other forms of data theft for several years. The irony behind this: one of the main threat actors had also infected his own computer with an Agent Tesla binary.
Almost 1 million login credentials stolen
The scammer's activities started a few years ago with classic advance payment fraud (419 fraud). Meanwhile, the scammer is successfully running Agent Tesla campaigns. In the past two years, he has been able to steal almost a million login credentials from his victims in this way.
An email campaign with Agent Tesla using a Ukrainian email led Malwarebytes to track down the scammers. The Malwarebytes Threat Intelligence Team's investigation began with an email titled Остаточний платіж.msg in Ukrainian, which translates as Final Payment.msg. The email contained a link to a file-sharing site that downloaded an archive containing an executable—leading the threat intelligence team to the scammer's trail.
The executable is actually a malicious Agent Tesla Stealer. This is able to exfiltrate data in various ways. The technique behind it is quite simple: it just requires an email account that sends messages to itself with each victim's stolen credentials.
Test messages reveal the attacker's IP address
The attacker sent a series of "Test successful!" messages from the same account. It is known that attackers generally use such messages to check whether communication with Agent Tesla is configured correctly. However, the e-mails should have been deleted afterwards for obvious reasons. However, the threat actor did not do so in this case. In doing so, he revealed his own IP address and Malwarebytes was able to locate the address in Lagos, Nigeria. Malwarebytes therefore gave the discovered scammer group the name “Nigerian Tesla”.
Another 26 emails were sent from the same IP address, which were not test emails but came from a real Agent Tesla execution. The attacker has thus managed to infect his own computer as well.
Attacker operates under different names and email accounts
For example, in its past phishing and data-stealing operations, the attacker has used the names Rita Bent, Lee Chen, and John Cooper along with over 25 different email accounts and passwords containing the string "1985". From the multitude of profiles, it can be seen that the threat actor has had an extensive career that began at least in 2014. Back then he was running classic scams under the name Rita Bent.
Another scam favored by the group was phishing under the guise of Adobe login pages. Malwarebytes security researchers have records of multiple fake Adobe landing pages deployed from 2015 until recently.
Who is behind the data attacks?
Behind the IP address located in Nigeria is a man named EK This threat actor actually shared photos of himself in 2016. A photo of his driver's license was also tracked down. This shows that he was born in 1985. This is how the picture finally fits: The year of birth 1985 was used in many passwords of the e-mail accounts from which the illegal activities were carried out.
There is currently little information about the other members of the scammer group. However, EK seems to have the most important role and at least be the one who originally brought Nigerian Tesla to life.
Nigerian Tesla stole a total of more than 800.000 different credentials from around 28.000 victims. This shows how simple yet effective these types of campaigns can be. The case of EK also shows an interesting evolution of a threat actor that performed the classic advance fee scam (419 scam) before eventually moving into the world of malware distribution. Malwarebytes users are protected from Agent Tesla. The attacker is detected as Spyware.Password.Stealer.
More at Malwarebytes.com
Via Malwarebytes Malwarebytes protects home users and businesses from dangerous threats, ransomware and exploits that are undetected by antivirus programs. Malwarebytes completely replaces other antivirus solutions in order to avert modern cybersecurity threats for private users and companies. More than 60.000 companies and millions of users trust Malwarebyte's innovative machine learning solutions and its security researchers to avert emerging threats and eliminate malware that antiquated security solutions fail to detect. You can find more information at www.malwarebytes.com.