SWEED : Exposing Years of Agent Tesla Campaigns

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs). One of the earliest SWEED campaigns Talos identified dates back to 2017. In this attack, the actors placed droppers inside of ZIP archives, and then attached those ZIPs to emails. The attached ZIP archive contained a packed version of Agent Tesla. The packer uses .NET and leverages steganography to hide and decode a second .NET executable, which uses the same technique to retrieve the final Agent Tesla payload.
In early 2018, we observed that SWEED began leveraging Java-based droppers. Similar to previous campaigns, the JAR was directly attached to emails and used file names such as "Order_2018.jar". The purpose of the JAR was to obtain information about the infected system and facilitate the download of a packed version of Agent Tesla. Interestingly, only a few months prior to these campaigns, a HackForums user with the account name "Sweed" actively sought out a Java crypter.
image13.jpg

One of the common characteristics with several of the campaigns associated with SWEED is the use of various techniques to bypass User Account Control (UAC) on infected systems. An example of this is present within the campaigns observed in 2019. When the malware is first executed on systems, it executes "fodhelper.exe", which is a Windows process running as high integrity.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top