Persistent AgentTesla campaign targeting the UAE

CYJAX Analysts Investigate AgentTesla Infostealer Campaign Targeting UAE

Cyjax analysts have investigated a long-running AgentTesla infostealer campaign targeting Dubai and the UAE. The campaign began in January 2021, with ongoing activity until May 2021. New samples were also observed in October 2021. Unlike most AgentTesla campaigns, this one heavily focused on the UAE, with only a few samples using the same C2 servers extending beyond the region to India and Italy.

The attack begins with an email themed around a purchase order from a compromised account. The subject line usually reads, “REQUEST FOR QUOTATION AL JABER DUBAI REF: 3214ED21 Please send your best possible rates.” A .Gz archive file, titled DUBAI UAE HCU234ED.Gz, is attached to the email (containing “DUBAI UAE HCU234ED.exe”).

Fig. 1 - Map of over 50 AgentTesla samples connected to this campaign

When the .Gz file is opened, the AgentTesla malware payload is executed on the compromised device. The malware is capable of performing several malicious activities, such as stealing credentials from email clients, web browsers, and applications like PuTTY or WinSCP. The collected information is exfiltrated to two mail servers over port 587 (SMTP). The credentials used to access the C2 server match those of the compromised system.

The IP address (37.49.225.161) used to send phishing emails has been flagged for SMTP brute-forcing attacks, in line with the threat actor’s tactics, which involve using compromised accounts for sending phishing emails and exfiltrating data. (source).

Fig. 2 - UAE and Dubai-themed AgentTesla attacks

What stands out about this campaign is its narrow and persistent targeting. Cyjax analysts discovered the samples after they were uploaded to a public sandbox in the UAE and followed open sources to uncover the rest. The file attachments appeared as generic business orders targeting organizations across sectors like construction, transportation, and retail—industries common in the UAE, yet broad enough to affect various organizations.

AgentTesla is a commodity malware used by multiple threat actors with varying skill levels. It is typically used in indiscriminate, financially motivated campaigns, but this specific attack appears more like an intelligence-gathering operation, persistently targeting a particular set of organizations within the UAE. By utilizing compromised infrastructure, the attackers avoid the need to register their own domains or host servers, making it difficult to attribute the attack to a specific group or individual.

In April 2020, researchers uncovered an AgentTesla campaign that targeted the oil and gas industry in anticipation of an OPEC+ deal. The use of infostealers indicated that the attackers aimed to gather intelligence on how specific countries planned to address industry challenges. In June 2021, Cyjax analysts also reported a more sophisticated AgentTesla campaign impersonating the Abu Dhabi National Oil Company (ADNOC) and using fake request-for-quotation (RFQ) phishing lures. We have not yet discovered any firm links to these two other previous campaigns or others, but the tactics, techniques, and procedures (TTPs), choice of malware, and region overlap to some degree.

IOCs

Hashes:

• First Seen: 2021-01-20 11:10:17
  Filename: DUBAI GNC HC21126.exe.Gz
  MD5: 524f467f1fe89ad974d3a6d1024f6887
• First Seen: 2021-01-20 11:18:38
  Filename: DUBAI GNC HC21126.exe
  MD5: bbab9a530caef93c9429912e02d018aa
• First Seen: 2021-01-20 18:09:05
  Filename: DUBAI GNC CHEMEX UAE.Gz
  MD5: 00197708e6209aeadb462a4a71f6b70e
• First Seen: 2021-01-20 18:09:05
  Filename: DUBAI GNC CHEMEX UAE.Gz
  MD5: 00197708e6209aeadb462a4a71f6b70e

Network Information:

• Type: IP
  IOC: 37.49.225.161
• Type: Email
  IOC: sales@myremediez.com
• Type: Email
  IOC: sales@pancare.lk
• Type: Email
  IOC: coelma@menara.ma
• Type: Domain
  IOC: myremediez.com
• Type: Domain
  IOC: pancare.lk
• Type: Hostname
  IOC: webmail.myremediez.com
• Type: Hostname
  IOC: webmail.pancare.lk

‍