Multiple Agent Tesla Campaigns

Summary

Bitdefender researchers discovered spear-phishing campaigns targeting the oil and gas sector and other energy verticals critical to the COVID-19 pandemic. Threat actors impersonate shipment companies and engineering contractors and send emails containing ZIP attachments with an embedded executable to deliver the Agent Tesla info-stealer malware. Additionally, the NJCCIC’s email security solution has identified and blocked multiple campaigns purporting to be inquiries, purchase orders, shipments, and invoices from financial institutions or vendors (including oil companies) attempting to steal credentials or download malware. The emails contain Microsoft Word/Excel and ISO/IMG attachments with embedded executables, or URLs that link to a download which, if executed, will install and run Agent Tesla. Furthermore, a new variant of Agent Tesla has the capability to steal Wi-Fi profile credentials and other system information in order to compromise other systems on the same wireless network.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to avoid clicking links, opening attachments, or providing personal or financial information in response to emails from unknown senders and exercise caution with emails from known senders. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication.