The cybersecurity landscape faces another significant threat as researchers uncover a recent Agent Tesla malware campaign targeting organizations in the United States and Australia. This sophisticated attack vector utilizes phishing emails masquerading as purchase orders to lure unsuspecting victims into clicking on malicious links embedded within. Once triggered, an obscured Agent Tesla sample, protected by Cassandra Protector, is clandestinely downloaded and executed, enabling the stealthy extraction of keystrokes and login credentials from compromised systems.
Investigations into this nefarious campaign have shed light on the identities of two key cybercriminals: Bignosa, the primary threat actor, and Gods, an accomplice in the malicious activities. These individuals employed a vast email database and multiple servers for Remote Desktop Protocol (RDP) connections and malware dissemination. The meticulous preparation phase preceding the distribution of malicious spam underscores the calculated nature of this operation, indicating a high level of sophistication and organization.
The modus operandi of the “Bignosa” threat actor involves the deployment of two distinct malware campaigns aimed at Australian and US organizations. Phishing emails containing a disguised Agent Tesla attachment (PDF.IMG), shielded by Cassandra Protector, serve as the primary delivery mechanism for the malware payload. Bignosa strategically compromises servers, installs Plesk and RoundCube, and establishes SSH and RDP connections to orchestrate the attacks. Notably, each campaign originates from different servers, leveraging varied geographical locations and connection protocols to evade detection.
Cassandra Protector, a tool utilized by Bignosa to obfuscate code and create executables disguised as ISOs, plays a pivotal role in the malware delivery process. This sophisticated tool offers features such as persistence, anti-virus evasion, and customization, enabling the malware to bypass security measures and persist undetected on infected systems. The collaboration between Bignosa and Gods, facilitated through communication channels like Jabber and TeamViewer, further highlights the coordinated effort behind these malicious activities.
