Author: Nick Sundvall
From 1 to 6 April, we observed a malspam campaign distributing a TAR file containing Agent Tesla, a remote access trojan (RAT) designed to steal information from a victim. The campaign’s email subjects attempted to gain the victims trust by impersonating the British bank Standard Chartered. Some of the emails claimed to offer advice from the bank, as well as notified the recipient of a payment.
Discovered in 2014,1 the Agent Tesla RAT has a variety of malicious capabilities such as stealing credentials from browsers, VPNs, FTP and email clients. It can also record the user’s screen and log keystrokes. The threat actor can then use these stolen credentials and keystrokes to log into, and potentially take over, the user’s accounts to access more of their data.
Agent Tesla is distributed as “malware-as-a-service,” reportedly for as little as $12 USD online. This buys a one-month license, an online portal to set up the configuration of the malware, and 24/7 support.2
The threat actor behind this campaign used email subjects mimicking correspondence from Standard Chartered, a legitimate British bank. One of the email subject lines was SUBJECT:Advice from Standard Chartered Bank and Confirming – Notice of payment, with a sender’s name of Standard Chartered Bank. The sender’s address (AdvicesMY@sc[.]com) also imitates the real Standard Chartered Bank’s website (sc[.]com).
All of the emails had a TAR file attachment containing an executable (EXE). TAR files are a kind of archive file, similar to a ZIP or RAR. The EXE was the malicious payload containing Agent Tesla. The file names, such as Payment Advice.img.tar, all include .img.tar as the extension in an attempt to disguise themselves as an image (IMG) file. The bodies of the emails are all empty.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.