Focus Mode
Threat Research

Origins of A Logger – Agent Tesla

iocOne
Origins of A Logger – Agent Tesla
The article discusses the evolution and impact of the Agent Tesla malware and its variant, Origin Logger, which have been pivotal in the Malware-as-a-Service (MaaS) ecosystem since 2014. The report details the methods of the developers, their targeted sectors, and the ongoing business email compromise (BEC) attacks. It also highlights the upcoming retirement of the Origin Logger service in July 2024 and the implications for future threats. Affected: Agent Tesla, Origin Logger

Keypoints :

  • Agent Tesla is a .NET-based RAT and data stealer that emerged in 2014.
  • Origin Logger, a variant of Agent Tesla, was released in 2018 and has been used for BEC attacks.
  • Both malware types have been sold as part of a MaaS model, allowing non-technical users to launch cyberattacks.
  • The developers primarily target sectors like accounting, manufacturing, and tourism in several European countries.
  • Recent research has identified the developers and their methods through analysis of IOCs from BEC attacks.
  • The retirement of Origin Logger is set for July 1, 2024, prompting the release of details about the developers.

MITRE Techniques :

  • Initial Access (T1071): Utilizes phishing emails to deliver malware.
  • Execution (T1203): Executes the malware via malicious attachments or links.
  • Credential Dumping (T1003): Exfiltrates credentials through various channels such as SMTP, FTP, or Telegram.
  • Data Exfiltration (T1041): Exfiltrates sensitive data collected from infected systems.
  • Command and Control (T1071): Uses communication methods like Telegram for C2 operations.

Indicator of Compromise :

  • [url] mediafire[.]com
  • [domain] agenttesla[.]wordpress[.]com
  • [domain] agenttesla[.]com
  • [file hash] 059333e2583e32c5c5cbf8f6d87be71764127ca70e30146ff440a7ea6ee5c5e007c2737070eb45b26c6abf07cc73a21e42b8c882c8f85c12efc7702d3eba152b0c2692809d9552c583d70ce503ff6a6f8ebb3c49cfd210acff4b813319c1fc800c2c8551b3919d0ce15dfa2f9b45e39e0717cf2277f78ce9482e000596a02cb410a6c7896f2e2ca5337cd3c137822099fea4c953b2776b027925497fee3a20b2157f4e37e50ee038e2ab04a49d93d2ed00ab63ea281ed91e8ba6d5af4ae89ff71637ab4d24e954742b6c062352f35a17f3863e0047741810e343f8015685e766fbb2eb7637f5af21d3166ee3b7d67e6c2bb6bd833e76f7bc3f842d5534b06f6bfa3f2da36cc8ac6894d5484077cdc8c294fb22dba8860f87a0bbf20436a0fec3
  • Check the article for all found IoCs.

Full Research: https://medium.com/@malwation/origins-of-a-logger-agent-tesla-f38d42e3172f?source=rss——malware-5

Tags: CREDENTIAL, IMPACT, SPAM, WINDOWS, TOOL, BROWSER, SMTP, PAYLOAD