Researchers Unveil The Attackers Behind The Agent Tesla Campaign

Check Point Research has exposed a recent wave of cyberattacks utilizing the infamous Agent Tesla malware. This campaign targeted organizations in the United States and Australia.

First appearing in 2014, Agent Tesla masquerades as legitimate software but acts as a silent thief in the background. 

It functions as a keylogger, recording every keystroke made on an infected device. 

This allows attackers to steal sensitive information like usernames, passwords, and financial data, potentially leading to devastating consequences.

The attack, initiated in November 2023, relied heavily on phishing emails. These deceptive emails, often crafted with social engineering tactics, are designed to trick recipients into clicking malicious links or attachments. 

In this case, the emails likely appeared to be legitimate purchase orders or delivery notifications, increasing the chance of someone clicking.

Check Point Research identified two key players in this operation: Bignosa, the main threat actor, and Gods, a possible collaborator.

html

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Bignosa appears to be part of a larger group targeting organizations globally. Evidence suggests they possess vast email databases focusing on businesses, educational institutions, and even individuals in both the US and Australia.  

Additionally, they maintain a network of servers used for remote access and launching phishing campaigns.

Attack Breakdown

Bignosa set up servers, installed email software like RoundCube, and uploaded malicious payloads protected with a custom tool called “Cassandra Protector.” 

This tool disguises the initial code and converts the malware into seemingly harmless ISO files. Bignosa utilized stolen email credentials to send out phishing emails with disguised Agent Tesla attachments. 

The emails mimicked legitimate business communications, likely leveraging content from online resources.

Upon clicking the attachment, the Agent Tesla malware downloaded and executed, silently stealing sensitive information from the infected device. 

This information was then relayed back to the attacker’s servers. Following the initial attack on Australian organizations on November 7th, a second wave targeted both the US and Australia on November 30th. 

The tactics remained consistent, highlighting the effectiveness of phishing emails for Bignosa.

Both campaigns employed Cassandra Protector, a commercially available tool that allows attackers to obfuscate malware and bypass security measures.  

Bignosa leveraged Cassandra Protector’s functionalities like anti-virus evasion and creating ISO files to mask the true nature of the malware.

Bignosa, a cybercriminal likely from Kenya, appears to be a seasoned attacker. He uses the alias Nosakhare and has been conducting phishing campaigns for a while. 

Evidence suggests he uses Agent Tesla and other malware (Quasar, Warzone, PureCrypter) and relies on tools like Grammarly and SuperMailer for his malicious activities.

Bignosa collaborates with Gods, another attacker who may operate under multiple aliases (Gods & Kmarshal).  

Gods transitioned from phishing to malware campaigns around June 2023 and appears to be more technically skilled, even helping Bignosa clean Agent Tesla infections.

While the investigation couldn’t fully identify Gods, it revealed interesting clues.  He potentially studied at a Turkish university, doesn’t speak Turkish fluently, and uses ChatGPT to translate spam messages. 

Additionally, a YouTube channel (“8 Letter Tech”) linked to Gods’ email address provides tutorials on setting up email servers, potentially used for his malicious campaigns.

The investigation uncovers their collaboration through shared resources and communication.  

For example, a VDS server paid for by Bignosa was later administered by Gods. Social media analysis further strengthens the connection between Bignosa and Gods.  

The investigation identified connections between accounts associated with both individuals, including a web design business potentially run by Gods (using the alias Kingsley Fredrick).

The investigation also revealed God’s continued malicious activity. He launched phishing campaigns in December 2023 and January 2024, highlighting the ongoing threat posed by this group.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide