Cybercrime Actors Behind Agent Tesla Campaigns Unmasked

In a report, Check Point Research (CPR) has lifted the veil of anonymity surrounding two cybercrime actors responsible for recent Agent Tesla malware campaigns. Through meticulous investigation, the researchers exposed the identities, tactics, and online footprints of these individuals, dubbed “Bignosa” and “Gods”.

The malware campaigns are targeting American and Australian entities, orchestrated by the notorious Agent Tesla malware. This advanced Remote Access Trojan (RAT), known for its stealth and efficiency in pilfering sensitive data from unsuspecting victims, has once again been thrust into the spotlight. Agent Tesla, notorious for its history of compromising security, has been a recurring figure in the annals of cyber threats, consistently ranking among the top ten malware families since 2020.

Attack scheme for these two campaigns | Image: Check Point Research

CPR’s meticulous investigation has revealed an intricate malware campaign initiated on November 7, 2023, against Australian organizations, swiftly followed by a parallel operation focusing on both Australian and American targets. These meticulously crafted phishing campaigns, leveraging a staggering base of 62,000 emails, sought to filch organizational email credentials as a precursor to unleashing Agent Tesla’s malevolent payload.

The orchestrators of this digital malevolence, identified as “Bignosa” and “Gods,” have emerged as adept manipulators of malware and phishing schemes. Their operation, deeply rooted in cyber-criminal methodologies, utilizes a vast network of servers for Remote Desktop Protocol (RDP) connections and malware dissemination, with a particular penchant for utilizing Round Cube for subsequent cyber maneuvers.

The attackers used phishing campaigns, customized malware protectors, and evasion tactics to hinder detection and maximize the success of their operations.

Emails masquerading as legitimate business inquiries concerning the procurement of goods and order deliveries. This cunning strategy is designed to maximize the likelihood of engagement, leading unsuspecting victims down a perilous path.

Upon interaction, the Agent Tesla sample, cloaked by the Cassandra Protector, descends upon the victim’s machine. This protector, a boon for .NET samples, is laden with a plethora of deceptive capabilities ranging from anti-antivirus maneuvers to the application of fraudulent certificates.

The phishing texts were craftily extracted from online repositories of sales letter samples and professional writing aids. These campaigns, far from the simplicity of a mere mouse click, unveil a complex preparation process aimed at ensnaring victims with precision.

The inaugural assault, launched by “Bignosa,” targeted an expansive array of Australian companies, armed with a PDF.IMG attachment harboring the disguised Agent Tesla, safeguarded by the Cassandra Protector. The operational base for this onslaught, a server identified as chserver.top, served as the springboard for this meticulously orchestrated campaign.

Check Point Research’s investigation revealed the following identities behind these pseudonyms:

• Bignosa: A Kenyan national named Nosakhare Godson, with evidence linking him to a network of malware operations and previous phishing campaigns.
• Gods: Identified as Kingsley Fredrick, a Nigerian with apparent links to Turkey and an active online presence in the world of web design.

This case highlights how accessible and potent even well-known malware like Agent Tesla is in the hands of motivated cybercriminals. With minimal technical expertise and resources, attackers can inflict significant harm upon businesses and individuals.