skip to Main Content

Cybercrime, fake military document conveys AgentTesla to Ukraine

Fake military document conveys AgentTesla to Ukraine. CERT-UA cybersecurity experts: The “Доповідь_050722_4.ppt” attachment loads an exe file which, after several steps, installs and runs the malware

A fake military document is the latest bait for an AgentTesla campaign in Ukraine. The CERT-UA cybersecurity experts denounce this. By opening the attachment “Доповідь_050722_4.ppt”, an exe file is created and executed. This is an obfuscated .NET program with ConfuserEx that loads the JPEG file “thumb_d_F3D14F4982A256B5CDAE9BD579429AE7.jpg”, finds the appropriate offset, decrypts and decompresses the data, and runs the resulting .NET program MCMDiction.exe (compile date: 2022 -07- 08). Finally, after a series of steps (Gzip, AES, base64, XOR), the malware is executed. Stolen data is exfiltered by FTP. Ukrainian authorities believe that the attack was aimed at state organizations in the European country.

Back To Top