Thousands of Australian Businesses Targeted With Reliable Agent Tesla RAT

Latest campaign underscores wide-ranging functionality and staying power of a decade-old piece of information-stealing malware.

More than 11,000 Australian companies were targeted in a recent wave of cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.
Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries that came with a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.
Agent Tesla
is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by a variety of threat actors, including cybercriminals and spies, according to researchers at Check Point Software.
Alexander Chailytko, cybersecurity, research, and innovation manager at Check Point, says threat actors have developed a level of trust in Agent Teslas capabilities.
Its reliability, coupled with its diverse range of functionalities for data exfiltration and information theft, makes it a preferred choice among cybercriminals, Chailytko explains.
The malware offers a range of data exfiltration methods and stealing capabilities that target the most commonly used software, ranging from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms such as Telegram and Discord, which makes it easier for crooks to run hacking campaigns.
Agent Tesla was in the news last year, when cybercriminals exploited a
6-year-old Microsoft Office
remote execution flaw to sling Agent Tesla.
An analysis by security researchers from Check Point published in a
blog post
this week offered one of the most detailed inspections of the methodology of an Agent Tesla-based phishing campaign to date. Their work offers a postmortem on a high-volume series of attacks launched in November 2023 against mostly Australian and American targets.
Check Point said a threat actor dubbed Bignosa first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.
Cassandra Protector bundles a variety of options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.
Once Agent Tesla was protected this way, Bignosa converted the malicious .NET code into an ISO file with a .img extension before attaching the resulting file to the spam emails.
Next, Bignosa connected to the newly configured machine via a remote access network protocol connection, created an email address, logged in to webmail, and launched the spam run using a pre-prepared target list. According to Check Point, a few successful infections hit Australia in a first wave of the attack.
The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by the presence of a mailing list file named AU B2B Lead.txt on their machines.
This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the goal of extracting valuable information for financial exploitation, Check Points Chailytko says.
Bignosa also worked with another more proficient cybercriminal, who immodestly goes by Gods, in a campaign to hack into Australian and US-based businesses, the researchers found.
Gods offered advice to Bignosa on the content of malicious spam text, according to Jabber chat logs uncovered by the security researchers.
Like with other cybercriminals
, the duo struggled with elements of their cybercrime campaign, according to evidence uncovered by Check Point.
In multiple instances, Bignosa wasnt able to clean his machine from the Agent Tesla test infections, so the hapless hacker had to call on remote access from Gods for assistance.
Check Point said it believes that Bignosa is Kenyan and Gods is a Nigerian with a day job as a Web developer.
The Agent Tesla-based spear-phishing campaign highlighted by Check Point underscores the still-prevalent threat posed by the mature malware.
Businesses should maintain up-to-date operating systems and applications by promptly installing patches and utilizing other security measures. Commercial spam filtering and blocklist tools can help minimize the volume of junk traffic that appears in user inboxes, according to Check Point.
Even so, end users must exercise caution when encountering unexpected emails containing links, particularly from unfamiliar senders. According to Check Point, thats where regular employee training and education programs can bolster cybersecurity awareness.

Last News
▸ Black Hat USA 2013: Full Recap ◂ Discovered: 26/12/2024 Category: security	▸ Mobile release coming soon for Black Hat 2013REG. ◂ Discovered: 26/12/2024 Category: security	▸ Avoid NSA surveillance with these 7 tips. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Thousands of Australian Businesses Targeted With Reliable Agent Tesla RAT