Researchers investigated a recent Agent Tesla malware campaign targeting US and Australian organizations, which used phishing emails with fake purchase orders to trick victims into clicking malicious links. 

Upon clicking, an obfuscated Agent Tesla sample protected by Cassandra Protector was downloaded and executed, stealing keystrokes and login credentials. 

The investigation identified two cybercriminals, Bignosa (the main threat) and Gods, who used a large email database and multiple servers for RDP connections and malware campaigns. 

The malware campaign involved a multi-step preparation phase before distributing malicious spam. 

Campaign of the Malware:

Threat actor “Bignosa” launched two malware campaigns targeting Australian and US organizations by using phishing emails with a disguised Agent Tesla attachment (PDF.IMG) protected by Cassandra Protector. 

“Bignosa” compromised servers by installing Plesk and RoundCube, connecting via SSH and RDP. The first campaign on November 7th originated from a server (172.81.60.206) with a Kenyan SSH connection (41.90.185.44). 

The second campaign on November 29th and 30th used a different server (192.236.236.35) with a Bulgarian RDP connection (91.215.152.7) as both campaigns sent emails from newly created webmail accounts and the attack methods were identical, except for the server addresses. 

Bignosa, a malicious actor, used Cassandra Protector, a tool that obfuscates code and creates executables disguised as ISOs, to deliver malware via spam emails. 

Cassandra Protector offers functionalities like persistence, anti-virus evasion, and customizability used by Bignosa to make the malware bypass security measures and remain undetected on the target machine.  

According to Check Point report, Bignosa used Agent Tesla and performed phishing attacks, while Gods mentored Bignosa and also conducted phishing attacks in the past. 

They communicated via Jabber and TeamViewer, whereas Bignosa used RDP to connect to a VDS server and distribute Agent Tesla. 

Gods used a YouTube channel called “8 Letter Tech,” which is linked to the email address unlimi[email protected] , which was also used by the Gods Threat actor.

Threat actors had been linked to “Bignosa” and “Gods” through a VDS account and shared an IP address in which “Bignosa” has used the VDS for phishing attacks since March 2023, while “Gods” used the same IP for a DynuDNS service linked to his email. 

Social media analysis revealed “Tamegurus” connected to legitimate web design and “Gods” through Turkish university ties. “8 Letter Studio” on social media further connected “Tamegurus” and “Gods,” with the latter’s real name discovered as Kingsley Fredrick. 

A recent phishing campaign by “Gods” was identified under the alias “GODINHO” in December 2023–January 2024, highlighting how cybercriminals may combine legitimate work with illegal activities. 

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-second Assessment.