Author: Victor Sandin
TLP: WHITE
Between 13 and 14 December, Infoblox observed a malicious spam (malspam) email campaign distributing Agent Tesla keylogger1 via a Microsoft Excel spreadsheet (XLS) with malicious macros. In this campaign, threat actor(s) sent emails spoofing communication from Gopaldas & Sons (also Gopal Das & Sons, both of which represent several large companies in India).
Agent Tesla is a credential-stealing malware that was first discovered in 2004. It is sold through a subscription-based license on its official website, and according to Threatpost, it has been one of the most popular malware variants in 2020.2 Agent Tesla’s main capabilities include:
- Keylogging;
- Harvesting configuration data and credentials from VPN, FTP and email clients, as well as from web browsers;
- Collecting system information;
- Transmitting stolen data to its command and control (C&C) via SMTP or FTP; and
- Evading detection and analysis through strong cryptography protocols.
In this campaign, the threat actor(s) distributed emails that impersonated a Gopaldas & Sons purchasing manager with the sender address lv@gopaldas-sons[.]com and subject line Tool kit Lugdivine new order. The email bodies claimed that the attached file, RFQ Gopaldas selection.xls, contained a compiled collection of their products.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/
- https://threatpost.com/agent-tesla-spyware-tricks-arsenal/158284/
