New Agent Tesla Campaign Targeting Spanish-Speaking People

June 10, 2024, 11:31 a.m.

Description

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript and PowerShell code, process hollowing, and obfuscation to evade detection. The malware targets over 80 software applications to harvest credentials and collects email contacts from Thunderbird. Stolen data is exfiltrated via FTP. Fortinet's security services provide protection against this campaign.

External References

https://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people
https://otx.alienvault.com/pulse/6666e26a4f2ba710caaa6046
Tags
malware
obfuscation
phishing
infostealer
2024-06-10
CVE-2017-0199
CVE-2017-11882
agent tesla
spain

Date

  • Created: June 10, 2024, 11:24 a.m.
  • Published: June 10, 2024, 11:24 a.m.
  • Modified: June 10, 2024, 11:31 a.m.

Indicators

  • a1475a0042fe86e50531bb8b8182f9e27a3a61f204700f42fd26406c3bdec862
  • 8406a1d7a33b3549dd44f551e5a68392f85b5ef9cf8f9f3db68bd7e02d1eaba7
  • 7230cc614270dca79415b0cf53a666a219beb4beed90c85a1ac09f082aea613b
  • 208af8e2754a3e55a64796b29ef3a625d89a357c59c43d0ff4d2d30e20092d74
  • ftp.fosna.net
  • equalizerrr.duckdns.org
Download all indicators here!

Attack Patterns

  • Agent Tesla - S0331
  • T1567.002
  • T1003.002
  • T1003.001
  • T1059.005
  • T1555.003
  • T1497.001
  • T1012
  • T1059.007
  • T1056.001
  • T1204.002
  • T1105
  • T1083
  • T1027
  • T1059
  • CVE-2017-11882
  • CVE-2017-0199