Mandiant cybersecurity experts: The APT (aka UNC2452) also shows two distinct clusters of activity, UNC3004 and UNC2652.
Technical analysis by the Malware Hunter JAMESWT
False products order from Australia conveys Agent Tesla. The mail zip attachment contains an exe, which triggers the malware infection. This steals the data and exfilters it via SMTP
A fake product order from Australia conveys Agent Tesla’s new global campaign. The email compressed attachment in zip format contains an exe file.
This, if opened, triggers the malware infection. Once inside the machine, it steals information which it then exfilters via SMTP.
Agent Tesla, in fact, through the keylogger function, is able to acquire everything the user types. Furthermore, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.