A persistent AgentTesla campaign is targeting the UAE

Cyjax analysts have analysed a long-running AgentTesla infostealer campaign targeting Dubai and the United Arab Emirates. The campaign began in at least January 2021 and the samples we gathered continued, almost daily, until May 2021. We have also seen new samples compiled in October 2021. Unlike most AgentTesla campaigns, the targeting focused heavily on the UAE, with only a handful of samples using the same C2 servers venturing outside the region into India and Italy.

The attack begins with a purchase order-themed email from a compromised email account. The subject of the email is usually something along the lines of “REQUEST FOR QUOTATION AL JABER DUBAI REF:3214ED21 Please send your best possible rates”. A .Gz archive file is attached to the malicious emails called DUBAI UAE HCU234ED.Gz (which contains “DUBAI UAE HCU234ED.exe”).

Fig. 1 – Map of over 50 Agent Tesla samples connected to this campaign

If a .Gz file is opened and .NET AgentTesla payload is executed on a compromised device, the malware can perform a number of malicious post-exploitation activities. It can steal credentials from mail clients, web browsers, and applications such as PuTTy or WinSCP. Collected information is exfiltrated to two mail servers over port 587 (SMTP). The credentials used to log into the threat actor’s C2 server are also the same as the compromised system.

The IP address (37[.]49[.]225[.]161) used to send the phishing emails has also been heavily flagged for SMTP brute-forcing attacks. This is in line with the threat actor’s TTPs behind this campaign, given the usage of compromised accounts to send phishing emails and for data exfiltration. (source)

Fig. 2 – UAE and Dubai-themed AgentTesla attacks

The most striking attribute of this campaign is that it involved persistent and relatively narrow targeting. Cyjax analysts discovered the samples initially after they were uploaded to a public sandbox from the UAE and pivoted through other open sources to uncover the rest. The file attachments posed as generic business orders that could be used to target a range of organisations in the UAE. The most common themes appear to be construction, transportation, and retail but all were generic enough to be used against any type of organisation.

AgentTesla is a commodity malware used by a variety of threat actors with ranging skill levels. It is most commonly used in indiscriminate widespread financially motivated campaigns. This campaign, however, appears to be more like an intelligence-gathering one, whereby only a certain set of organisations in a specific region are targeted persistently. By using compromised infrastructure, the attackers also forgo the need to register their own domains or host their own servers, evading attribution and analysis. Without analysing the compromise servers themselves used in these attacks, it would be difficult to ascertain where these threat actors are from, who they are working for, and their ultimate goals.

In April 2020, researchers disclosed an AgentTesla campaign that involved spear-phishing attacks against the oil and gas industry in advance of a historic OPEC+ deal. The use of an infostealer in this campaign indicated that the threat actors’ motivations were potentially to gather intelligence on how specific countries plan to address issues facing the industry. In June 2021, Cyjax analysts also disclosed a more sophisticated AgentTesla campaign posing as the Abu Dhabi National Oil Company (ADNOC) and using fake request for quotation (RFQ) phishing lures. We have not yet discovered any firm links to these two other previous campaigns or others, but the tactics, techniques, and procedures (TTPs), choice of malware, and region overlap to some degree.


IOCs

Hashes

FirstSeen Filename MD5
2021-01-20 11:10:17 +0000 GMT DUBAI GNC HC21126.exe.Gz 524f467f1fe89ad974d3a6d1024f6887
2021-01-20 11:18:38 +0000 GMT DUBAI GNC HC21126.exe bbab9a530caef93c9429912e02d018aa
2021-01-20 18:09:05 +0000 GMT DUBAI GNC CHEMEX UAE.Gz 00197708e6209aeadb462a4a71f6b70e
2021-01-20 18:09:05 +0000 GMT DUBAI GNC CHEMEX UAE.Gz 00197708e6209aeadb462a4a71f6b70e
2021-01-20 21:49:46 +0000 GMT DUBAI GNC CHEMEX.exe bf9296cac895ede0e1eb0dcf70c6373f
2021-01-20 21:49:46 +0000 GMT DUBAI GNC CHEMEX.exe bf9296cac895ede0e1eb0dcf70c6373f
2021-01-21 07:57:51 +0000 GMT UAE DUBAI PPMC HCU2132.Gz fe65ab72ad8bfc77e7d7d870501df2ab
2021-01-21 11:32:03 +0000 GMT UAE DUBAI PPMC HCU2132.exe aab479f9edff6ee91b33749c700abc22
2021-01-22 02:18:49 +0000 GMT UAE DUBAI -RFQ21223.Gz a993b7aee58a8a0502bac581aa0f8477
2021-01-22 07:48:33 +0000 GMT UAE DUBAI -RFQ21223.exe 799fa109b56588a2b890fe923317a98f
2021-01-25 01:41:10 +0000 GMT AL JAB DUBAI UAE.Gz d94676f594afc7bae5058ac9b25bc4c9
2021-01-25 09:49:22 +0000 GMT AL JAB DUBAI UAE.exe 879bd6dd7cca3a950bd8d6b5cc4db8c3
2021-01-25 10:54:57 +0000 GMT UAE DUBAI AL JABER.Gz 2ffb1334dbd844f25e0866d435d6740c
2021-01-25 16:08:33 +0000 GMT UAE DUBAI AL JABER.exe f9b318972c6173229c5d0b1fd864b13f
2021-01-26 07:00:39 +0000 GMT UAE DUBAI RFQ.Gz 724c8ff1ed8dadd4fcecdc97f6794674
2021-01-26 10:34:09 +0000 GMT UAE DUBAI RFQ.exe 71dc44929ebb28129b7163f54ebcb81d
2021-01-26 13:03:59 +0000 GMT DUBAI HCU123134.Gz 5e83bf1c01ef32807fc951aa731f9d09
2021-01-26 16:35:27 +0000 GMT DUBAI HCU123134.exe 830350c076c9fa99986bb8c008e8f0a1
2021-01-26 17:51:12 +0000 GMT DUBAI UAE 2021.Gz 994e4815223576cc1d11aa7c880f5522
2021-01-26 21:13:25 +0000 GMT DUBAI UAE 2021.exe 25d374cbfed30a25108fe68cb7ca1409
2021-01-27 02:56:15 +0000 GMT 2021 DUBAI UAE.Gz 08413af52f6f374940c136484b341be8
2021-01-27 06:34:06 +0000 GMT 2021 DUBAI UAE.exe 5a71d934f5bf4ba563a773e5d1e5a992
2021-01-28 09:11:50 +0000 GMT DUBAI UAE HCU2113S.Gz d6296327c1974d5cb688ae1bb3edec0c
2021-01-28 12:39:57 +0000 GMT DUBAI UAE HCU2113S.exe 717aa0d59eb18dc7110d34777e999dbb
2021-01-31 01:05:42 +0000 GMT CHEMEX UAE DUBAI HCU2122.Gz 3c1a959780fb391c484c9636a305e6bf
2021-01-31 04:36:14 +0000 GMT CHEMEX UAE DUBAI HCU2122.exe 62bfd97dc441cdc98eb84afbda42f7c2
2021-02-01 06:05:51 +0000 GMT DUBAI GNC 2020.Gz 20e18c55003411ff1a0c25524adb12e4
2021-02-01 09:35:58 +0000 GMT DUBAI GNC 2020.exe 85db7308c6900f4aadd4f663805789bd
2021-02-02 01:00:33 +0000 GMT DUBAI GNC 2021.Gz 131e5ab25f780b13685cd64df4545b0e
2021-02-02 04:33:29 +0000 GMT DUBAI GNC 2021.exe 7ffca9228a2817528f9f84ea535ce2ec
2021-02-08 00:44:17 +0000 GMT AL JABER UAE HCU12212.Gz 488cb199913f8897c5b4e18ef1cf7c2d
2021-02-08 01:09:27 +0000 GMT AL JABER UAE HCU12212.Gz e20119ddfddaa138da7a0b264f84d52a
2021-02-08 03:58:28 +0000 GMT AL JABER UAE HCU12212.exe 3d14f73c844e925e52bcb133264a5303
2021-02-08 06:57:16 +0000 GMT AL JABER UAE HCU21432.Gz dcee4cd23117cc628942d8ae923be09b
2021-02-08 10:30:47 +0000 GMT AL JABER UAE HCU21432.exe cebcdde7e77147866c62c41d112a9d02
2021-02-08 15:09:15 +0000 GMT CHEMEX DUBAI 2021.Gz 9d1df027b7a58ccae1649893f4f40c77
2021-02-08 18:35:37 +0000 GMT CHEMEX DUBAI 2021.exe 66d8203e97370fb12a22975433be0763
2021-02-09 07:04:25 +0000 GMT CHEMEX 2021 DUBAI.Gz 16220864e1903d6b9f3379d2b9ae9b61
2021-02-09 10:35:23 +0000 GMT CHEMEX 2021 DUBAI.exe 5b997f3562f0456168b852a3a205fe06
2021-02-10 00:06:47 +0000 GMT CHEMEX 2021 DUBAI.exe 0ab1493670caa76335c1350069580dec
2021-02-10 00:15:27 +0000 GMT DUBAI UAE CHEMEX HU212324.Gz 8457568ee9c91577d911e9810f165dfe
2021-02-10 03:39:15 +0000 GMT DUBAI UAE CHEMEX HU212324.exe 27d3f3af00bca19136ed2adf9e5ef69f
2021-02-10 15:41:39 +0000 GMT RFQ CHEMEX 2021 DUBAI.Gz 08ffc7e54543ba3e24c6cb56b6dca894
2021-02-10 18:54:29 +0000 GMT RFQ CHEMEX 2021 DUBAI.exe 81648c99ed42de7212ef9ee259035f8f
2021-02-11 03:34:28 +0000 GMT DUBAI PPMC HCU1247ED.Gz 8b51a68f3e6cd683ea0e735eaa7510ba
2021-02-11 06:45:02 +0000 GMT DUBAI PPMC HCU1247ED.exe 006160a4314ae24bf869019fa64b10ad
2021-02-14 08:57:08 +0000 GMT DUBAI HCU UAE PROJ.Gz bfc9973e2782f4c4ea50505b5230a9d3
2021-02-14 12:02:37 +0000 GMT DUBAI HCU UAE PROJ.exe 822ece4988b0af7c821f40d2547b98c3
2021-04-30 14:43:37 +0100 BST DUBAI UAE HCU4321890.Gz eb7f3b5cda0e9f518f61f9231648dd77
2021-04-30 16:00:44 +0100 BST DUBAI UAE HCU4321890.exe 8512456ccbb378c17ad67261f667f049
2021-05-03 16:41:04 +0100 BST UAE HCU32ED23D.Gz 9b13e5ce82dc0226ab3f347959867064
2021-05-03 18:11:01 +0100 BST UAE HCU32ED23D.Gz ce540a11f63103876f46da1cbbbab982
2021-05-03 18:52:51 +0100 BST UAE HCU32ED23D.exe 40892578a3761f78a70382efec84aa35
2021-10-12 07:24:09 +0000 GMT AL_JABER_DUBAIHBPC0.Gz 54f59ae6ce647c320bfe690a8d181331
2021-10-13 19:49:26 +0000 GMT AL_JABER_DUBAIHBPC0.exe d71f83565f6e33e4c6abe29d451fbf33

Network info

Type IOC
IP 37.49.225.161
Email sales@myremediez.com
Email sales@pancare.lk
Email coelma@menara.ma
Domain myremediez.com
Domain pancare.lk
Hostname webmail.myremediez.com
Hostname webmail.pancare.lk