skip to Main Content

Cybercrime, Agent Tesla conveyed via payment order

Technical analysis by the Malware Hunter JAMESWT

Agent Tesla conveyed via payment order. Two mails with different gz attachment contain the same chm file. This downloads and launches the malware. The stolen data is exfiltrated thanks to the FTP of a Bosnian company

AgentTesla is hiding behind a fake email linked to a payment order. The message gz attachment contains a chm file.

 

This, if opened, downloads and launches the malware.

The stolen data is then exfiltrated via ftp, using the compromised protocol of a Bosnian company.

Moreover, two emails with different attachments are in circulation. Within the gz archives, however, the chm file is identical. Agent Tesla, through the keylogger function, is able to acquire everything the user types. Furthermore, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.

Back To Top