Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.
SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs). One of the earliest SWEED campaigns Talos identified dates back to 2017. In this attack, the actors placed droppers inside of ZIP archives, and then attached those ZIPs to emails. The attached ZIP archive contained a packed version of Agent Tesla. The packer uses .NET and leverages steganography to hide and decode a second .NET executable, which uses the same technique to retrieve the final Agent Tesla payload.
In early 2018, we observed that SWEED began leveraging Java-based droppers. Similar to previous campaigns, the JAR was directly attached to emails and used file names such as "Order_2018.jar". The purpose of the JAR was to obtain information about the infected system and facilitate the download of a packed version of Agent Tesla. Interestingly, only a few months prior to these campaigns, a HackForums user with the account name "Sweed" actively sought out a Java crypter.
One of the common characteristics with several of the campaigns associated with SWEED is the use of various techniques to bypass User Account Control (UAC) on infected systems. An example of this is present within the campaigns observed in 2019. When the malware is first executed on systems, it executes "fodhelper.exe", which is a Windows process running as high integrity.