Agent Tesla: What it is, how it works and why it’s targeting energy companies

Introduction to Agent Tesla

Agent Tesla appeared for the first time in 2014, but it has been just recently used for attacks on energy companies operating in various fields. These fields include charcoal processing, manufacturing of raw materials, oil and gas and hydraulic plants. 

Such attacks are based on spearphishing messages impersonating reputable companies such as Engineering for Petroleum and Process Industries (Enppi) and Glory Shipping Marine Co. Ltd. The targeted companies are located in the United States, South Africa, Malaysia, Philippines, Iran, Oman and Turkey.

To conduct some of the attacks, the attackers sent to the targeted companies emails purporting to come from Enppi. The emails invited the potential victims to submit a bid for equipment and materials in accordance with the Rosetta Sharing Facilities Project. Since this is a genuine project that is actually linked to Enppi, we can conclude that the attackers conducted some research before initiating their phishing campaigns.

The spearphishing email used to attack energy companies is entitled “REQUEST FOR QUOTATION FOR ENPPI DEVELOPMENT PROJECT NO 4621-422-298-01-20.” It specifies the deadline for submitting bids and includes a .zip file that is supposed to contain a list of requested equipment and materials. Once opened, the file actually drops Agent Tesla.

The purpose of this article is to examine the main characteristics of Agent Tesla, its operation and the reasons it targets energy companies. 

The main characteristics of Agent Tesla

Agent Tesla has two main characteristics: it is written in Microsoft’s .NET language and it is a commercial malware. A brief overview of these two characteristics follows. 

.NET language

Donut was one of the first malware applications utilizing .NET language for malicious purposes. It is a relatively simple malware application and has never caused serious information security problems. However, Donut was used by (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Dimov. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/WFNsY7ap0SQ/