Categories: Uncategorized

AGENT TESLA Malware Steals login Credentials From Chrome & Firefox

Researchers investigated a recent Agent Tesla malware campaign targeting US and Australian organizations, which used phishing emails with fake purchase orders to trick victims into clicking malicious links. 

Upon clicking, an obfuscated Agent Tesla sample protected by Cassandra Protector was downloaded and executed, stealing keystrokes and login credentials. 

The investigation identified two cybercriminals, Bignosa (the main threat) and Gods, who used a large email database and multiple servers for RDP connections and malware campaigns. 

The malware campaign involved a multi-step preparation phase before distributing malicious spam. 

The activity of the “Bignosa” threat actor shown on the timeline
Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Your Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Campaign of the Malware:

Threat actor “Bignosa” launched two malware campaigns targeting Australian and US organizations by using phishing emails with a disguised Agent Tesla attachment (PDF.IMG) protected by Cassandra Protector. 

Malware campaign targeting AU 7th of November

“Bignosa” compromised servers by installing Plesk and RoundCube, connecting via SSH and RDP. The first campaign on November 7th originated from a server (172.81.60.206) with a Kenyan SSH connection (41.90.185.44). 

Attack scheme for these two campaigns

The second campaign on November 29th and 30th used a different server (192.236.236.35) with a Bulgarian RDP connection (91.215.152.7) as both campaigns sent emails from newly created webmail accounts and the attack methods were identical, except for the server addresses. 

Malspam text and attachment

Bignosa, a malicious actor, used Cassandra Protector, a tool that obfuscates code and creates executables disguised as ISOs, to deliver malware via spam emails. 

Cassandra Protector offers functionalities like persistence, anti-virus evasion, and customizability used by Bignosa to make the malware bypass security measures and remain undetected on the target machine.  

“Bignosa” account details for Cassandra Protector

According to Check Point report, Bignosa used Agent Tesla and performed phishing attacks, while Gods mentored Bignosa and also conducted phishing attacks in the past. 

“Gods” and “Kmarshal” in one Jabber account

They communicated via Jabber and TeamViewer, whereas Bignosa used RDP to connect to a VDS server and distribute Agent Tesla. 

ChatGPT used to translate spam messages into Turkish

Gods used a YouTube channel called “8 Letter Tech,” which is linked to the email address unlimitedsendertech@gmail.com , which was also used by the Gods Threat actor.

Threat actors had been linked to “Bignosa” and “Gods” through a VDS account and shared an IP address in which “Bignosa” has used the VDS for phishing attacks since March 2023, while “Gods” used the same IP for a DynuDNS service linked to his email. 

Email used by “Gods” in the video by Kingsley F

Social media analysis revealed “Tamegurus” connected to legitimate web design and “Gods” through Turkish university ties. “8 Letter Studio” on social media further connected “Tamegurus” and “Gods,” with the latter’s real name discovered as Kingsley Fredrick. 

A recent phishing campaign by “Gods” was identified under the alias “GODINHO” in December 2023–January 2024, highlighting how cybercriminals may combine legitimate work with illegal activities. 

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-second Assessment.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

24 hours ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago