New Agent Tesla Campaign Targets Spanish-Speaking Users

Agent Tesla malware campaign
The whole process of this Agent Tesla campaign

FortiGuard Labs has recently identified a new phishing campaign deploying a variant of the notorious Agent Tesla malware, specifically targeting Spanish-speaking users. Agent Tesla, a well-known Remote Access Trojan (RAT), has been active for years, but this campaign introduces new tactics to infiltrate systems and exfiltrate sensitive information.

The whole process of this Agent Tesla campaign | Image: FortiGuard Labs

This insidious campaign utilizes a multi-pronged approach, exploiting vulnerabilities in Microsoft Office applications and employing a series of fileless modules and obfuscation techniques to evade detection. Victims are lured with a seemingly legitimate SWIFT transfer notification email containing a malicious Excel attachment.

Once the victim opens the Excel attachment, it leverages the CVE-2017-0199 vulnerability in Microsoft Office. This vulnerability allows the document to execute a malicious embedded hyperlink automatically, downloading an RTF document that further exploits the CVE-2017-11882 vulnerability in Microsoft Office’s Equation Editor. This ultimately led to the execution of Agent Tesla RAT on the victim’s computer. This powerful malware can then siphon off a wide array of sensitive information, including login credentials, keystrokes, screenshots, and even email contacts.

The Infection Chain

  1. Initial Download: The Excel file downloads an RTF document from a specified URL.
  2. Execution of Shellcode: The RTF document contains crafted equation data that triggers a buffer overflow, allowing the execution of malicious shellcode.
  3. JavaScript and PowerShell: The shellcode downloads a JavaScript file, which in turn fetches a base64-encoded PowerShell script.
  4. Fileless Malware: The PowerShell script downloads a JPG file with an appended loader-module, decodes it, and loads it into memory without saving it to disk, making detection difficult.
  5. Loading Agent Tesla: The loader-module initiates a process hollowing technique to execute Agent Tesla within a legitimate Windows process named AddInProcess32.exe.

Agent Tesla is a .Net-based RAT designed to covertly steal a wide range of information from victims’ computers. This includes hardware details, login credentials, keystrokes, email contacts, web browser cookies, clipboard data, screenshots, and more. The malware can harvest credentials from various widely-used software, making it a potent threat to both individuals and organizations.

Agent Tesla employs several techniques to evade detection:

  • Anti-Debugging: Checks for the presence of debuggers, virtual machines, and certain AV or sandbox DLLs.
  • Environment Checks: Uses WMI queries and external services to determine if it’s running in a controlled environment.
  • Fileless Execution: By running most of its code in memory, it avoids leaving traces on the disk.

Unlike many previous variants that used HTTP POST or SMTP, this Agent Tesla variant uses FTP to exfiltrate stolen data. The data is uploaded to an FTP server, with credentials stored as plaintext within the malware. The stolen data is saved in HTML and TXT files, formatted with the user’s details and system date/time.