Skip to content

Agent Tesla phishing campaigns targets US and Australian companies

  • by
  • 4 min read

Two threat actors, Bignosa and Gods, have been deploying Agent Tesla malware in three phishing campaigns against organisations in the United States and Australia.

The attackers had a huge and intricate database of 62,000 emails, including those of individuals and organisations from different walks of life.

Check Point Research exposed the two threat actors behind the recent attacks. The researchers also discovered that both threat actors were involved in a phishing campaign against Furman University in South Carolina from December 2023 to January 2024.

Furthermore, these threat actors maintained a well-guarded network of servers that they used for identity obfuscation.

Agent Tesla, a formidable remote access trojan (RAT), has consistently posed a significant threat in the cybersecurity landscape. Cybercriminals favour this tool, which extracts sensitive information from the affected machines, including keystrokes and login credentials.

Check Point discovered campaigns that employ sophisticated phishing tactics to acquire email credentials, facilitating the deployment of Agent Tesla payloads for data exfiltration.

Source: Check Point Research

Two principal threat actors are at the forefront of these illicit operations: Bignosa and Gods. Bignosa is a prominent figure within a cybercriminal syndicate that specialises in malware deployment and phishing campaign orchestration. On the other hand, Gods provide technical expertise and strategic guidance, showcasing a symbiotic relationship within the cybercriminal ecosystem.

The researchers discovered that Bignosa has been using Agent Tesla for quite a while. They also discovered another alias of the same actor, ‘Nosakhare,’ which appears to be a word of Nigerian origin. Bignosa employs Cassandra Protector, an obfuscation tool, to protect its identity.

A sample of phishing text. | Source: Check Point Research

Researchers identified the threat actor as Nosakhare Godson and accessed his desktop. There, they found traces of other malware, including Quasar, Warzone, and PureCrypter. Moreover, the hacker also used Grammarly and SuperMailer to spam and test.

The second threat actor, Gods/Kmarshal, has been in the hacking business since 2023. Researchers discovered their Jabber account and found that the email used by Gods corresponds to a YouTube channel. By meticulously tracing the IP addresses associated with Gods, scrutinising the TikTok profiles linked to the attackers, and navigating through Instagram accounts, researchers successfully unveiled the true identity of Gods, revealing him to be Kingsley Fredrick.

In the News: How to check the balance of the Delhi Metro card online?


Attack chain of the campaigns

Source: Check Point Research

Researchers uncovered the intricate attack chains orchestrated by these threat actors:

  • Phishing campaigns: The operational blueprint commences with specially crafted emails masquerading as authentic communications. These deceptive emails lure recipients into disclosing their credentials or unwittingly downloading malicious attachments.
  • Malware deployment: Agent Tesla payloads are stealthily deployed onto victim machines upon successful phishing attempts. These payloads adeptly evade conventional security measures, ensuring persistent access and data exfiltration.
Source: Check Point Research
  • Cassandra Protector: The Cassandra Protector introduces a layer of sophistication to the malware. This tool obscures malware code, employs anti-av and anti-emulation techniques, and signs files with certificates to evade detection.
  • Command and control infrastructure: The threat actors maintained a robust C&C infrastructure to coordinate and control compromised machines. This infrastructure is a central hub for data exfiltration, command execution, and ongoing malicious activities.

Agent Tesla excels in capturing data, and remote servers subsequently exfiltrate this pilfered data under the threat actors’ control.

The malware employs an injection method for persistence, evades antivirus and emulation techniques, and leverages PowerShell commands for system manipulation and evasion.

To mitigate the risks of phishing attacks, experts advise keeping software updated with timely patches, exercising caution when clicking on any link, and installing a robust antivirus.

In the News: Google may put AI-powered search results behind paywall

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>