A new campaign dubbed “Kassino” spreading Agent Tesla malware, a known information stealing Trojan. Agent Tesla monitors and collects the victim’s keyboard inputs, system clipboard, screen shots of the victim’s screen, as well as collects credentials of a variety of installed software. Initial infection starts with a spear phishing email:
Attached to this email is a zip file named “Averda7803.zip” and contains an executable file “jack.exe” which is the final stage malware. Once directly executed on the machine, the malware installs persistence mechanisms by executing VBS scripts via the RunOnce registry key. It then implements hooks into all the major browsers for the purpose of credential harvesting and stealing. One unique aspect of the malware is that it uses SMTP for command and control and exfiltration of data.
Malware Hash (MD5/SHA1/SH256)