Cyjax analysts have analysed a long-running AgentTesla infostealer campaign targeting Dubai and the United Arab Emirates (UAE). The campaign began in at least January 2021 and the samples we gathered continued, almost daily, until May 2021. We have also seen new samples compiled in October 2021. Unlike most AgentTesla campaigns, the targeting focused heavily on the UAE, with only a handful of samples using the same C2 servers venturing outside the region into India and Italy.
The attack begins with a purchase order-themed email from a compromised email account. The subject of the email is usually something along the lines of “REQUEST FOR QUOTATION AL JABER DUBAI REF:3214ED21 Please send your best possible rates”. A .Gz archive file is attached to the malicious emails called DUBAI UAE HCU234ED.Gz (which contains “DUBAI UAE HCU234ED.exe”).
Fig. 1 – Map of over 50 Agent Tesla samples connected to this campaign
If a .Gz file is opened and .NET AgentTesla payload is executed on a compromised device, the malware can perform a number of malicious post-exploitation activities. It can steal credentials from mail clients, web browsers, and applications such as PuTTy or WinSCP. Collected information is exfiltrated to two mail servers over port 587 (SMTP). The credentials used to log into the threat actor’s C2 server are also the same as the compromised system.
The IP address (37[.]49[.]225[.]161) used to send the phishing emails has also been heavily flagged for SMTP brute-forcing attacks. This is in line with the threat actor’s TTPs behind this campaign, given the usage of compromised accounts to send phishing emails and for data exfiltration. (source)
Fig. 2 – UAE and Dubai-themed AgentTesla attacks
The most striking attribute of this campaign is that it involved persistent and relatively narrow targeting. Cyjax analysts discovered the samples initially after they were uploaded to a public sandbox from the UAE and pivoted through other open sources to uncover the rest. The file attachments posed as generic business orders that could be used to target a range of organisations in the UAE. The most common themes appear to be construction, transportation, and retail but all were generic enough to be used against any type of organisation.
AgentTesla is a commodity malware used by a variety of threat actors with ranging skill levels. It is most commonly used in indiscriminate widespread financially motivated campaigns. This campaign, however, appears to be more like an intelligence-gathering one, whereby only a certain set of organisations in a specific region are targeted persistently. By using compromised infrastructure, the attackers also forgo the need to register their own domains or host their own servers, evading attribution and analysis. Without analysing the compromise servers themselves used in these attacks, it would be difficult to ascertain where these threat actors are from, who they are working for, and their ultimate goals.
In April 2020, researchers disclosed an AgentTesla campaign that involved spear-phishing attacks against the oil and gas industry in advance of a historic OPEC+ deal. The use of an infostealer in this campaign indicated that the threat actors’ motivations were potentially to gather intelligence on how specific countries plan to address issues facing the industry. In June 2021, Cyjax analysts also disclosed a more sophisticated AgentTesla campaign posing as the Abu Dhabi National Oil Company (ADNOC) and using fake request for quotation (RFQ) phishing lures. We have not yet discovered any firm links to these two other previous campaigns or others, but the tactics, techniques, and procedures (TTPs), choice of malware, and region overlap to some degree.
IOCs
Hashes
| FirstSeen | Filename | MD5 |
|---|---|---|
| 2021-01-20 11:10:17 +0000 GMT | DUBAI GNC HC21126.exe.Gz | 524f467f1fe89ad974d3a6d1024f6887 |
| 2021-01-20 11:18:38 +0000 GMT | DUBAI GNC HC21126.exe | bbab9a530caef93c9429912e02d018aa |
| 2021-01-20 18:09:05 +0000 GMT | DUBAI GNC CHEMEX UAE.Gz | 00197708e6209aeadb462a4a71f6b70e |
| 2021-01-20 18:09:05 +0000 GMT | DUBAI GNC CHEMEX UAE.Gz | 00197708e6209aeadb462a4a71f6b70e |
| 2021-01-20 21:49:46 +0000 GMT | DUBAI GNC CHEMEX.exe | bf9296cac895ede0e1eb0dcf70c6373f |
| 2021-01-20 21:49:46 +0000 GMT | DUBAI GNC CHEMEX.exe | bf9296cac895ede0e1eb0dcf70c6373f |
| 2021-01-21 07:57:51 +0000 GMT | UAE DUBAI PPMC HCU2132.Gz | fe65ab72ad8bfc77e7d7d870501df2ab |
| 2021-01-21 11:32:03 +0000 GMT | UAE DUBAI PPMC HCU2132.exe | aab479f9edff6ee91b33749c700abc22 |
| 2021-01-22 02:18:49 +0000 GMT | UAE DUBAI -RFQ21223.Gz | a993b7aee58a8a0502bac581aa0f8477 |
| 2021-01-22 07:48:33 +0000 GMT | UAE DUBAI -RFQ21223.exe | 799fa109b56588a2b890fe923317a98f |
| 2021-01-25 01:41:10 +0000 GMT | AL JAB DUBAI UAE.Gz | d94676f594afc7bae5058ac9b25bc4c9 |
| 2021-01-25 09:49:22 +0000 GMT | AL JAB DUBAI UAE.exe | 879bd6dd7cca3a950bd8d6b5cc4db8c3 |
| 2021-01-25 10:54:57 +0000 GMT | UAE DUBAI AL JABER.Gz | 2ffb1334dbd844f25e0866d435d6740c |
| 2021-01-25 16:08:33 +0000 GMT | UAE DUBAI AL JABER.exe | f9b318972c6173229c5d0b1fd864b13f |
| 2021-01-26 07:00:39 +0000 GMT | UAE DUBAI RFQ.Gz | 724c8ff1ed8dadd4fcecdc97f6794674 |
| 2021-01-26 10:34:09 +0000 GMT | UAE DUBAI RFQ.exe | 71dc44929ebb28129b7163f54ebcb81d |
| 2021-01-26 13:03:59 +0000 GMT | DUBAI HCU123134.Gz | 5e83bf1c01ef32807fc951aa731f9d09 |
| 2021-01-26 16:35:27 +0000 GMT | DUBAI HCU123134.exe | 830350c076c9fa99986bb8c008e8f0a1 |
| 2021-01-26 17:51:12 +0000 GMT | DUBAI UAE 2021.Gz | 994e4815223576cc1d11aa7c880f5522 |
| 2021-01-26 21:13:25 +0000 GMT | DUBAI UAE 2021.exe | 25d374cbfed30a25108fe68cb7ca1409 |
| 2021-01-27 02:56:15 +0000 GMT | 2021 DUBAI UAE.Gz | 08413af52f6f374940c136484b341be8 |
| 2021-01-27 06:34:06 +0000 GMT | 2021 DUBAI UAE.exe | 5a71d934f5bf4ba563a773e5d1e5a992 |
| 2021-01-28 09:11:50 +0000 GMT | DUBAI UAE HCU2113S.Gz | d6296327c1974d5cb688ae1bb3edec0c |
| 2021-01-28 12:39:57 +0000 GMT | DUBAI UAE HCU2113S.exe | 717aa0d59eb18dc7110d34777e999dbb |
| 2021-01-31 01:05:42 +0000 GMT | CHEMEX UAE DUBAI HCU2122.Gz | 3c1a959780fb391c484c9636a305e6bf |
| 2021-01-31 04:36:14 +0000 GMT | CHEMEX UAE DUBAI HCU2122.exe | 62bfd97dc441cdc98eb84afbda42f7c2 |
| 2021-02-01 06:05:51 +0000 GMT | DUBAI GNC 2020.Gz | 20e18c55003411ff1a0c25524adb12e4 |
| 2021-02-01 09:35:58 +0000 GMT | DUBAI GNC 2020.exe | 85db7308c6900f4aadd4f663805789bd |
| 2021-02-02 01:00:33 +0000 GMT | DUBAI GNC 2021.Gz | 131e5ab25f780b13685cd64df4545b0e |
| 2021-02-02 04:33:29 +0000 GMT | DUBAI GNC 2021.exe | 7ffca9228a2817528f9f84ea535ce2ec |
| 2021-02-08 00:44:17 +0000 GMT | AL JABER UAE HCU12212.Gz | 488cb199913f8897c5b4e18ef1cf7c2d |
| 2021-02-08 01:09:27 +0000 GMT | AL JABER UAE HCU12212.Gz | e20119ddfddaa138da7a0b264f84d52a |
| 2021-02-08 03:58:28 +0000 GMT | AL JABER UAE HCU12212.exe | 3d14f73c844e925e52bcb133264a5303 |
| 2021-02-08 06:57:16 +0000 GMT | AL JABER UAE HCU21432.Gz | dcee4cd23117cc628942d8ae923be09b |
| 2021-02-08 10:30:47 +0000 GMT | AL JABER UAE HCU21432.exe | cebcdde7e77147866c62c41d112a9d02 |
| 2021-02-08 15:09:15 +0000 GMT | CHEMEX DUBAI 2021.Gz | 9d1df027b7a58ccae1649893f4f40c77 |
| 2021-02-08 18:35:37 +0000 GMT | CHEMEX DUBAI 2021.exe | 66d8203e97370fb12a22975433be0763 |
| 2021-02-09 07:04:25 +0000 GMT | CHEMEX 2021 DUBAI.Gz | 16220864e1903d6b9f3379d2b9ae9b61 |
| 2021-02-09 10:35:23 +0000 GMT | CHEMEX 2021 DUBAI.exe | 5b997f3562f0456168b852a3a205fe06 |
| 2021-02-10 00:06:47 +0000 GMT | CHEMEX 2021 DUBAI.exe | 0ab1493670caa76335c1350069580dec |
| 2021-02-10 00:15:27 +0000 GMT | DUBAI UAE CHEMEX HU212324.Gz | 8457568ee9c91577d911e9810f165dfe |
| 2021-02-10 03:39:15 +0000 GMT | DUBAI UAE CHEMEX HU212324.exe | 27d3f3af00bca19136ed2adf9e5ef69f |
| 2021-02-10 15:41:39 +0000 GMT | RFQ CHEMEX 2021 DUBAI.Gz | 08ffc7e54543ba3e24c6cb56b6dca894 |
| 2021-02-10 18:54:29 +0000 GMT | RFQ CHEMEX 2021 DUBAI.exe | 81648c99ed42de7212ef9ee259035f8f |
| 2021-02-11 03:34:28 +0000 GMT | DUBAI PPMC HCU1247ED.Gz | 8b51a68f3e6cd683ea0e735eaa7510ba |
| 2021-02-11 06:45:02 +0000 GMT | DUBAI PPMC HCU1247ED.exe | 006160a4314ae24bf869019fa64b10ad |
| 2021-02-14 08:57:08 +0000 GMT | DUBAI HCU UAE PROJ.Gz | bfc9973e2782f4c4ea50505b5230a9d3 |
| 2021-02-14 12:02:37 +0000 GMT | DUBAI HCU UAE PROJ.exe | 822ece4988b0af7c821f40d2547b98c3 |
| 2021-04-30 14:43:37 +0100 BST | DUBAI UAE HCU4321890.Gz | eb7f3b5cda0e9f518f61f9231648dd77 |
| 2021-04-30 16:00:44 +0100 BST | DUBAI UAE HCU4321890.exe | 8512456ccbb378c17ad67261f667f049 |
| 2021-05-03 16:41:04 +0100 BST | UAE HCU32ED23D.Gz | 9b13e5ce82dc0226ab3f347959867064 |
| 2021-05-03 18:11:01 +0100 BST | UAE HCU32ED23D.Gz | ce540a11f63103876f46da1cbbbab982 |
| 2021-05-03 18:52:51 +0100 BST | UAE HCU32ED23D.exe | 40892578a3761f78a70382efec84aa35 |
| 2021-10-12 07:24:09 +0000 GMT | AL_JABER_DUBAIHBPC0.Gz | 54f59ae6ce647c320bfe690a8d181331 |
| 2021-10-13 19:49:26 +0000 GMT | AL_JABER_DUBAIHBPC0.exe | d71f83565f6e33e4c6abe29d451fbf33 |
Network info
| Type | IOC |
|---|---|
| IP | 37.49.225.161 |
| [email protected] | |
| [email protected] | |
| [email protected] | |
| Domain | myremediez.com |
| Domain | pancare.lk |
| Hostname | webmail.myremediez.com |
| Hostname | webmail.pancare.lk |