Author: Shashank Jain
Between 3 and 5 April, Infoblox observed a malicious spam campaign distributing weaponized Microsoft Excel spreadsheets (XLS) containing malicious macros intended to infect victims’ machines with the Agent Tesla keylogger. The threat actor(s) used a spoofed email sender address to gain the victim’s trust by impersonating Petroham Oil & Gas, a legitimate chemical and petrochemical company based in Abu Dhabi.
Agent Tesla malware is known for its keylogging and credential stealing capabilities, as well as its distribution method as a form of “malware-as-a-service.”
Infoblox has previously reported on Agent Tesla campaigns in Dec 20201 and April 2021.2 Both used the same initial attack vector (malspam) and delivery technique (weaponized XLS files containing malicious macros) as this recent campaign.
In this campaign, the threat actor(s) used the sender email address sales@oryx-ad[.]ae to impersonate the Abu Dhabi-based oil and gas company with the subject line Labour Day holiday RFQ 191938. The email bodies are empty but the messages carry an attachment with the filename RFQ 191938.xls, as referenced by the subject line. All of the XLS files contained malicious macros.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.