Discovering a new Agent Tesla malware sample

by Jose Hernandez

12 December 2019

A man with glasses looking at a screen

Jacob Faires, Senior Threat Research Analyst, NTT Ltd.

The Global Threat Intelligence Team (GTIC) monitors active malware campaigns all over the world. The Obasi campaign, named after one of the threat actors, is an active campaign we are currently tracking. This campaign led us to a new Agent Tesla sample that pivoted to a new mailbox not currently being used by any of the other actors of the Obasi campaign.

bk@ibekamine[.]com

The bk@ email is being used for exfiltration by Agent Tesla malware samples. Originally, GTIC thought the address was being managed by the threat actor Zeel Ken Obasi. Further research showed it was a different individual from the same region.

Agent tesla malware sample

It is common practice for threat actors to send test emails to test the functionality of malware samples. The initial Agent Tesla test email was from a UK IP address (31.3.251.197). After the initial test email all following IPs point to Lagos, Nigeria as the location of the actor.

105.112.112.57

105.112.112.78

105.112.112.103

105.112.112.195

105.112.113.12

105.112.113.92

105.112.113.134

105.112.114.55

105.112.114.117

105.112.114.201

105.112.120.27

105.112.121.167

Other logs showed similarities to the Obasi campaign:

  • Typo squatting and spear phishing
  • DNS hosting providers
  • Delivery of Agent Tesla
  • SMTP exfiltration traffic over port 587 without TLS
    • This includes login information. SMTP and IMAP credentials were in clear text
  • Auto Forwarding logs
    • Unlike Obasi’s campaigns, these logs are primarily forwarded to a Yandex account instead of a mail.ru account.

Operational Security (OPSec)

As in the case of Obasi, the actor ran their keylogger malware on themselves. Logs containing information about the actor's machine were found in the mail account. Following the compromised actor’s actions showed them adding a friend, Okoronkwo David, to compromised Facebook accounts.

Agent tesla malware sample

This led to the Facebook profile for Okoronkwo David.

https://www.facebook.com/kwasky

Agent tesla malware sample

While it’s possible that this account is fake and managed by the threat actor as a fake persona the possibility is very low. Other indicators in the campaign show extremely low levels of OPSec, and security in general, practiced by the actor. Passwords are variations on the actor's name and the Agent Tesla sample pre-FUD has the filename kwasky.exe, which is the nickname ascribed to the Facebook page.

IOCs

IPs

31.3.251.197

105.112.112.57

105.112.112.78

105.112.112.103

105.112.112.195

105.112.113.12

105.112.113.92

105.112.113.134

105.112.114.55

105.112.114.117

105.112.114.201

105.112.120.27

105.112.121.167

Domains

smtp.ibemakine.com

Email Addresses

bk@ibemakine.com

samandre22@yandex.com

samandre222@yandex.com

SHA-256

c2c1eaf0012413da59fcce9dbf7eea9b72ab45dbb3d17429fe988158a2e5783d

d263aec0a4d338110aaae8c8ed928d7ef52e87a2fecda08663e4600f57c2a4b7

3999d4d2a2422a55d8c2b0abe9dea38443e42a21dc959d69d2c927cb2ae82db4

6fa5c0456337d4d86aeb7831f6396a8da488dab75fa6cc658c2b4f80cc379465

01da3d69232d85e63cf4a972c62271ba6163af065c146541570b62decb963ab0

19fab115271f6e556f2914eb3cdc32311d886bee1b15f0d151ae72211de31228

Jose Hernandez

Jose Hernandez

Vulnerability Research Analyst, NTT Ltd.