Spammers Use Agent Tesla Stealer to Purloin Data

Kaspersky reported detecting a spam campaign targeting businesses around the world.

Attackers are imitating emails from vendors or counterparty companies to steal login data from affected organisations using Agent Tesla stealer, a spyware Trojan designed to steal authentication data, screenshots, and data captured from webcams and keyboards. It was attached as a self-extracting archive.

Agent Tesla is a highly popular stealer used to fetch passwords and other credentials from affected organizations. It’s been known since 2014, and deployed by spammers widely in mass attacks. However, in this campaign cybercriminals took on techniques that are typical of targeted attacks – the sent emails were tailored especially for the company of interest and are barely different from legitimate ones,

said Roman Dedenok, security expert at Kaspersky.

The compromised credentials can then be put up for sale on dark web forums or used in targeted attacks against those organisations.

The emails have all the characteristics of a standard corporate style - there is a logo belonging to a real company and a signature containing the sender's details. The only thing that distinguishes it from the real email is the sender's address, which is not the same as the real one.

Because the emails originated from a limited range of IP addresses and the attached archives contained the same Agent Tesla malware, the researchers believe the emails were all part of the same targeted campaign.