.
Today, cybercriminals invest efforts in mass spam campaigns – and the latest investigation conducted by Kaspersky provides clear proof of this. The discovered spam email campaign, aimed at various organizations, contained high quality imitations of commercial surveys from real companies, only given by the inappropriate sender addresses.
Furthermore, as a payload, the attackers used Agent Tesla stealer – a well-known Trojan Spy malware, designed to steal authentication data, screenshots, and data captured from webcams and keyboards. The malware was distributed as a self-extracting file attached to the email.
In an example email, posing as a Malaysian prospect, uses a strange variation of English to ask the recipient to review some customer requirements and come back with the requested documents. The general format complies with corporate correspondence standards: there is a logo that belongs to a real company and a signature that shows the sender’s details. Generally speaking, the request looks legitimate, while linguistic errors can easily be attributed to the sender who is not a native speaker.
“Malaysian prospect email with malicious attachment”
The only suspicious thing about the email is the sender address, newsletter@trade***.com, is labeled “newsletter”, typically used for news, not acquisitions. Also, the sender’s domain name differs from the company name in the logo.
In another email, an alleged Bulgarian customer makes an inquiry about the availability of some products and offers to discuss the details of a deal. The requested product list is said to be in the annex, as in the previous sample. The equally suspicious sender address belongs to a Greek, non-Bulgarian domain, which apparently has nothing to do with the company whose name is used by spammers.
“The email from the Bulgarian customer with a malicious attachment”
The messages originated from a limited range of IP addresses and the attached files contained the same malware, Agent Tesla – leading researchers to think that all these messages were part of a targeted campaign.
Agent Tesla targets users all over the world. According to Kaspersky’s observations, malware activity from May to August 2022 was the highest in Europe, Asia and Latin America. The highest number of victims (20,941) was recorded in Mexico. Spain followed, with 18,090 user devices registering infection attempts, and Germany, where 14,880 users were affected.
“Agent Tesla is a very popular stealer used to look up passwords and other credentials to affected organizations. It has been known since 2014, and is widely used by spammers in mass attacks. However, in this campaign, cybercriminals assumed typical techniques of targeted attacks – the emails sent were specially tailored for the company of interest and are little different from the legitimate ones.”.
Roman Dedenok, security expert at Kaspersky.
Kaspersky products detect Agent Tesla Stealer as Trojan-PSW.MSIL.Agensla. To learn more about Agent Tesla Stealer, read the full report on securelist.
To protect yourself from spam email campaigns, Kaspersky recommends the following:
If you use Microsoft 365 cloud service, don’t forget to secure it too. Kaspersky Security for Microsoft Office 365 has a dedicated anti-spam and anti-phishing, as well as protection for SharePoint, teams and OneDrive apps for secure business communications.
Follow all the technological updates on TecheNet through telegram. All the news in real time and without delays!
Other interesting articles:
.
