A threat actor known as SWEED is using typosquatting and User Account Control (UAC) bypassing techniques to distribute Agent Tesla and other malware.

Cisco Talos, which has been tracking SWEED’s efforts to distribute Agent Tesla since 2017, observed the threat actor employing various tactics to propel its attack campaigns, including using Java-based droppers and steganography to secretly decode a chain of .NET executables. The actor also incorporated previously disclosed Microsoft Office vulnerabilities, most notably CVE-2017-8759 and CVE-2017-11882, into its attack campaigns before resorting to Office macros and AutoIt droppers in 2019.

Over the course of all of those operations, the threat actor kept some things the same. For example, SWEED commonly creates registry keys to help its malware payloads bypass UAC on infected systems to evade detection, and uses typosquatting with domains specifically created to host packed Agent Tesla binaries.

The History of Agent Tesla Campaigns

In August 2016, Zscaler observed an Agent Tesla campaign that leveraged typosquatting to deliver the information stealer. More than a year later, Fortinet came across an operation that used Microsoft Word documents to deliver a new variant of the spyware. That was just a few months before Cisco Talos spotted an attack in which bad actors modified a well-known exploit chain to deliver the malware along with the Loki information stealer.

Stay One Step Ahead of SWEED

Security professionals can help defend their organizations against SWEED and Agent Tesla by using ahead-of-threat detection to block potentially malicious domains, including those activated by SWEED and other threat actors, before they become active in attacks such as phishing campaigns. Organizations can also invest in a unified endpoint management (UEM) solution to analyze how devices are behaving and report suspicious behavior.