In a highly targeted spear-phishing campaign, the .Net-based Agent Tesla malware was deployed against the Oil and Gas Industry. This is the first known instance of Agent Tesla being used against the industry and the attackers impersonated the Egyptian state oil company ENPPI to obtain credibility with their emails. Additionally, the attackers used industry relevant language and appeared to have a clear understanding of Oil and Gas procedures.
Also in the past week, Agent Tesla’s authors released a new module for their malware that allows attackers to steal Wi-Fi profiles when deployed. This could allow attackers to leverage those credentials to further spread the malware or to deploy additional payloads. Agent Tesla is marketed commercially as a “personal-use” keylogger and goes as far as to provide technical support to their clients with using the malware.
As a reminder, users should always approach unexpected email attachments with caution, especially ones that contain macros. User awareness training and Endpoint Protection are critical for organizations to protect their networks from these attacks.