Discovering a new Agent Tesla malware sample
12 December 2019
The Global Threat Intelligence Team (GTIC) monitors active malware campaigns all over the world. The Obasi campaign, named after one of the threat actors, is an active campaign we are currently tracking. This campaign led us to a new Agent Tesla sample that pivoted to a new mailbox not currently being used by any of the other actors of the Obasi campaign.
The bk@ email is being used for exfiltration by Agent Tesla malware samples. Originally, GTIC thought the address was being managed by the threat actor Zeel Ken Obasi. Further research showed it was a different individual from the same region.
It is common practice for threat actors to send test emails to test the functionality of malware samples. The initial Agent Tesla test email was from a UK IP address (184.108.40.206). After the initial test email all following IPs point to Lagos, Nigeria as the location of the actor.
Other logs showed similarities to the Obasi campaign:
- Typo squatting and spear phishing
- DNS hosting providers
- Delivery of Agent Tesla
- SMTP exfiltration traffic over port 587 without TLS
- This includes login information. SMTP and IMAP credentials were in clear text
- Auto Forwarding logs
- Unlike Obasi’s campaigns, these logs are primarily forwarded to a Yandex account instead of a mail.ru account.
Operational Security (OPSec)
As in the case of Obasi, the actor ran their keylogger malware on themselves. Logs containing information about the actor's machine were found in the mail account. Following the compromised actor’s actions showed them adding a friend, Okoronkwo David, to compromised Facebook accounts.
This led to the Facebook profile for Okoronkwo David.
While it’s possible that this account is fake and managed by the threat actor as a fake persona the possibility is very low. Other indicators in the campaign show extremely low levels of OPSec, and security in general, practiced by the actor. Passwords are variations on the actor's name and the Agent Tesla sample pre-FUD has the filename kwasky.exe, which is the nickname ascribed to the Facebook page.