SWEED Threat Actor Uses Typosquatting, UAC Bypasses to Distribute Agent Tesla (Jul 15, 2019)
Cisco Talso researchers have identified malicious activity conducted by a threat actor dubbed “SWEED.” The actor uses typosquatting and User Account Control bypassing techniques to distribute Agent Tesla and other malware. The researchers, who have been tracking SWEED’s efforts to distribute Agent Tesla since 2017, observed the threat actor employing various tactics to propel its attack campaigns, including using Java-based droppers and steganography to secretly decode a chain of .NET executables. The actor also incorporated previously disclosed Microsoft Office vulnerabilities, most notably “CVE-2017-8759” and “CVE-2017-11882,” into its attack campaigns before resorting to Office macros and AutoIt droppers in 2019.
Recommendation: Security professionals can help defend their organizations against SWEED and Agent Tesla by using ahead-of-threat detection to block potentially malicious domains, including those activated by SWEED and other threat actors, before they become active in attacks such as phishing campaigns. Organizations can also invest in a unified endpoint management solution to analyze how devices are behaving and report suspicious behavior.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.