{"id":20120,"date":"2022-09-23T04:02:45","date_gmt":"2022-09-23T08:02:45","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/agent-tesla-spam-mailout\/20120\/"},"modified":"2022-09-26T16:53:33","modified_gmt":"2022-09-26T12:53:33","slug":"agent-tesla-spam-mailout","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/agent-tesla-spam-mailout\/20120\/","title":{"rendered":"Trojan-stealer discovered in spam mailouts to businesses"},"content":{"rendered":"<p>We\u2019re witnessing a new malicious mass-mailing campaign aimed at company employees using Agent Tesla spyware attachments. This time, when creating their e-mail messages, the attackers pay special attention to detail \u2014 so that their messages can really be mistaken for regular business e-mails with attached documents. Their final goal is to trick the recipient into opening the attached archive to then execute the malicious file.\n<\/p>\n<h2>Why is this malicious mailing special?<\/h2>\n<p>\nTo start with, cybercriminals use real companies as a cover: they supply their e-mails with real logos and legitimate-looking signatures. Their English is far from perfect, so they pretend to be residents of non-English-speaking countries (Bulgaria or Malaysia, for example), so as to raise less suspicion.<\/p>\n<p>The attackers send out their malicious archive on behalf of many companies, changing the text accordingly. Sometimes they ask company employees for prices for certain goods presumably listed in the attached archive, while other times they ask if a listed product is in stock. And we have probably not seen all versions of the text they use to lure their victims. The idea is to convince the respondent to check what kind of goods this pseudo-client is interested in. The cybercriminals have put a lot of effort into the preparation stage, which is not typical for such mass mailing campaigns. Previously we\u2019ve seen such techniques used only in targeted attacks.<\/p>\n<div id=\"attachment_45622\" style=\"width: 1441px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/09\/23141506\/agent-tesla-spam-mailout-letter.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-45622\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/09\/23141506\/agent-tesla-spam-mailout-letter.jpg\" alt=\"An example of a malicious letter with Agent Tesla in attachment.\" width=\"1431\" height=\"645\" class=\"size-full wp-image-45622\"><\/a><p id=\"caption-attachment-45622\" class=\"wp-caption-text\">An example of a malicious letter with Agent Tesla in attachment.<\/p><\/div>\n<p>From the recipient\u2019s point of view, the only red flag they can spot with the naked eye is the sender\u2019s address. Its domain name rarely matches that of the company, while the sender\u2019s name differs from the name in the signature, which isn\u2019t typical for legitimate business addresses. In the example above, the mail is sent from the \u201cnewsletter@\u201d address, which may be ok for a marketing mailout, but absolutely not normal for a letter with a request for prices for a quotation.\n<\/p>\n<h2>What is the Agent Tesla trojan?<\/h2>\n<p>\nAgent Tesla, identified by our solutions as Trojan-PSW.MSIL.Agensla, is fairly old malware, which steals confidential information and sends it to the attack operators. First of all, it hunts for credentials that are stored in different programs: browsers, e-mail clients, FTP\/SCP clients, databases, remote administration tools, VPN applications, and several instant messengers. However, Agent Tesla is also capable of stealing clipboard data, recording keystrokes, and taking screenshots.<\/p>\n<p>Agent Tesla sends all collected information to the attackers via e-mail. However, some modifications of the malware are able to transfer data via the Telegram messenger too, or upload it to a website or FTP server.<\/p>\n<p>You can find additional detail about this malware and campaign, along with indicators of compromise, in this <a href=\"https:\/\/securelist.com\/agent-tesla-malicious-spam-campaign\/107478\/\" target=\"_blank\" rel=\"noopener\">Securelist blog post<\/a>.\n<\/p>\n<h2>How to stay safe<\/h2>\n<p>\nIdeally, such cyberthreats should be stopped at an early stage \u2014 when a malicious letter reaches a corporate mail server. While the naked eye can\u2019t always spot a threat at first glance, mail scanners are usually quite capable of such tasks. Therefore, it\u2019s a good idea to protect a mail server with an appropriate <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">security solution<\/a>.<\/p>\n<p>However, you should also think about raising the level of cybersecurity awareness among your employees; for example, by using <a href=\"https:\/\/k-asap.com\/en\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">online learning platforms<\/a>.<\/p>\n<p>To make sure the malware sent by the attackers isn\u2019t executed no matter what, you could also consider providing your employees\u2019 computers with a relevant <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">protection<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals are sending to companies high-quality imitations of business letters with a spy trojan in the attachment.<\/p>\n","protected":false},"author":2598,"featured_media":20123,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[1815,2095,240,692],"class_list":{"0":"post-20120","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-e-mail","11":"tag-mail","12":"tag-spam","13":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/agent-tesla-spam-mailout\/20120\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/agent-tesla-spam-mailout\/24662\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/agent-tesla-spam-mailout\/10154\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/agent-tesla-spam-mailout\/27108\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/agent-tesla-spam-mailout\/24996\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/agent-tesla-spam-mailout\/25326\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/agent-tesla-spam-mailout\/27738\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/agent-tesla-spam-mailout\/27246\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/agent-tesla-spam-mailout\/34025\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/agent-tesla-spam-mailout\/11060\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/agent-tesla-spam-mailout\/45621\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/agent-tesla-spam-mailout\/19517\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/agent-tesla-spam-mailout\/20076\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/agent-tesla-spam-mailout\/29318\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/agent-tesla-spam-mailout\/32685\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/agent-tesla-spam-mailout\/28508\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/agent-tesla-spam-mailout\/25482\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/agent-tesla-spam-mailout\/31056\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/agent-tesla-spam-mailout\/30755\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/e-mail\/","name":"e-mail"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20120"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20120\/revisions"}],"predecessor-version":[{"id":20136,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20120\/revisions\/20136"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20123"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}