New Agent Tesla Campaign Targeting Spanish-Speaking People

June 10, 2024, 11:31 a.m.

Description

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript and PowerShell code, process hollowing, and obfuscation to evade detection. The malware targets over 80 software applications to harvest credentials and collects email contacts from Thunderbird. Stolen data is exfiltrated via FTP. Fortinet's security services provide protection against this campaign.

Date

Published: June 10, 2024, 11:24 a.m.

Created: June 10, 2024, 11:24 a.m.

Modified: June 10, 2024, 11:31 a.m.

Indicators

a1475a0042fe86e50531bb8b8182f9e27a3a61f204700f42fd26406c3bdec862

8406a1d7a33b3549dd44f551e5a68392f85b5ef9cf8f9f3db68bd7e02d1eaba7

7230cc614270dca79415b0cf53a666a219beb4beed90c85a1ac09f082aea613b

208af8e2754a3e55a64796b29ef3a625d89a357c59c43d0ff4d2d30e20092d74

Attack Patterns

Agent Tesla - S0331

T1567.002

T1003.002

T1003.001

T1059.005

T1555.003

T1497.001

T1012

T1059.007

T1056.001

T1204.002

T1105

T1083

T1027

T1059

CVE-2017-11882

CVE-2017-0199