In March 2023, the research team of ESET Latin America found a malware campaign that affected several countries in Latin America and spread through emails. The primary goal was to infect victims with malware that gives attackers the ability to perform various activities on the infected device, from stealing passwords to taking screenshots, and then transmitting this information to the cybercriminals’ systems. .
The campaign begins by sending spearphishing emails that contain an attached zip file that does not require a password. ESET identified an example of the emails used in this campaign, where the subject line refers to a package shipment and impersonates a well-known courier and parcel delivery company.
“The informality with which the email is written is quite striking, which could arouse some suspicion. On the other hand, it is important to note that the attached file has a double extension, .jpg.xxe. This should also be interpreted as another red flag, since if a company wants to send an attachment there would be no need to put a double extension as seen in this case. The goal of all this is to confuse the recipient of the email into thinking it is an image (.jpeg) and not an executable (.exe).”, highlights Fernando Tavella, Malware Researcher at ESET Latin America.
The infection process begins by downloading the file and decompressing it. The victim will find an executable file that upon opening it will start a multi-stage infection process that culminates in the download and execution of the Trojan AgentTesla on the victim’s computer.
Mexico was the country in which the greatest activity of this campaign was concentrated with 45% of the detections, followed by Peru (15%), Colombia (14%), Ecuador (12%) and Chile (5%), in addition from other countries in the region. From ESET they mention that although the profile of the targets selected by the cybercriminals behind this campaign is very broad, companies from different sectors, such as agriculture or dedicated to the distribution of medical supplies, were detected, they were targeted in these attacks.
AgentTesla is a Trojan that offers the possibility of collecting different types of information from the infected computer and sending it to a server controlled by the attackers. It is used by different cybercriminal groups to spy on and steal personal information from victims.
Most important features of AgentTesla
- Take screenshots and / or clipboard (clipboard)
- Record keystrokes (Keylogging)
- Obtain the credentials saved in different web browsers or programs installed on the victim machine. For example, Microsoft Outlook.
- Obtain information from the victim’s machine. For example, operating system, CPU, username, etc.
- Persist on the victim’s machine
“The discovery of this campaign began after recording significant activity of a threat detected by ESET security solutions that mainly affected Microsoft Windows. It was a malicious code of the downloader type that is responsible for starting the computer infection process and then leads to the download of the main threat: AgentTesla. It is worth noting this new malware campaign, criminal groups target Latin American countries using what is known as commodity malware, which is a type of malware that is usually sold in clandestine markets on the dark web and is used by different criminal groups to carry out campaigns throughout the world.”, explains Tavella from ESET Latin America.
In recent years, the ESET team discovered and analyzed several campaigns targeting countries in the region in which criminal groups used this type of malware for espionage purposes to attack companies and government agencies in different countries. This was the case, for example, with Operation Absolute, where attackers targeted high-profile targets in Colombia to distribute the AsyncRAT malware, as well as Operation Spalax, Operation Bandidos, Operation Discord, and Operation Pulpo Rojo. All these campaigns mainly targeted Latin American countries and used well-known remote access Trojans, such as Bandook, njRAT, AsyncRAT or AgentTesla.
Listen Dale Play on Spotify. Follow the program every Monday on our available audio platforms.