Technical analysis by the Malware Hunter JAMESWT

New Agent Tesla malspam campaign in Italy. This time the bait is the expeditioner Avion. The email contains a compressed attachment with an executable inside. By launching it, malware is installed. It sends emails with stolen data via SMTP

Agent Tesla returns to Italy with a malspam campaign, which passes through the expeditioner Avion and in particular the maritime sector (seafreight). The bait is always a false order and aims to ensure that the recipient opens the attachment. This is a compressed document with an .exe file inside. If the victim opens it, the malware is installed. The goal of cybercrime is to use it to steal sensitive data from victims, which is then exfiltrated via SMTP via email (unirii @ nordpharm [.ro) to a fixed address (ricemagic290 @ gmail [.com). Agent Tesla, in fact, through the keylogger function, is able to acquire everything that the user types. It can also steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.

The email text

the flow of data exfiltrated via smtp