New Agent Tesla Campaign Targeting Spanish-Speaking People
June 10, 2024, 11:31 a.m.
Tags
External References
Description
This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript and PowerShell code, process hollowing, and obfuscation to evade detection. The malware targets over 80 software applications to harvest credentials and collects email contacts from Thunderbird. Stolen data is exfiltrated via FTP. Fortinet's security services provide protection against this campaign.
Date
Published: June 10, 2024, 11:24 a.m.
Created: June 10, 2024, 11:24 a.m.
Modified: June 10, 2024, 11:31 a.m.
Indicators
a1475a0042fe86e50531bb8b8182f9e27a3a61f204700f42fd26406c3bdec862
8406a1d7a33b3549dd44f551e5a68392f85b5ef9cf8f9f3db68bd7e02d1eaba7
7230cc614270dca79415b0cf53a666a219beb4beed90c85a1ac09f082aea613b
208af8e2754a3e55a64796b29ef3a625d89a357c59c43d0ff4d2d30e20092d74
ftp.fosna.net
equalizerrr.duckdns.org
Attack Patterns
Agent Tesla - S0331
T1567.002
T1003.002
T1003.001
T1059.005
T1555.003
T1497.001
T1012
T1059.007
T1056.001
T1204.002
T1105
T1083
T1027
T1059
CVE-2017-11882
CVE-2017-0199