Providing a detailed exploration of the AgentTesla malware and its rebranded counterpart, OriginLogger, the report reveals a persistent and prevalent threat to cybersecurity since 2014. Known as a commodity stealer, AgentTesla operates as a Malware as a Service (MaaS), offering accessible and relatively low-cost capabilities for cybercriminals.
The analysis highlights its evolution, from its emergence as Negasteal to the rebranding as OriginLogger, sharing the same code base. The report emphasizes the challenges in distinguishing between AgentTesla and OriginLogger due to their shared characteristics. Both are licensed-based MaaS, maintaining a presence on the clear web with suggestive websites such as agenttesla[.]com and originpro[.]me.
With continuous updates and regular appearances in the top malware charts, AgentTesla campaigns primarily involve phishing emails carrying malicious attachments, exposing victims to a range of data exfiltration methods. The data insights presented reveal that AgentTesla heavily targets the United States, China, and Germany. More than 1500 configurations in the past three months indicate active campaigns, with email accounts being the primary method for data exfiltration.
Passwords are the most commonly collected data, forming the majority of the exfiltrated information. The report concludes by underscoring the direct financial threat posed by the stolen data and its contribution to ransomware and business email compromise attacks.
Reference:
