Olde Hornet
Well-Known Member
The malicious messages are designed to look like a business email – for example, one asks the user to open a Microsoft Excel attachment titled "Order Requirements and Specs". The document contains a macro which, if run, starts a process that executes and downloads Agent Tesla onto the machine.
This is done across a number of different stages, including downloading PowerShell files, running VBScript and creating a schedule task, all to help mask the installation of the malware, allowing the attacker to secretly monitor activity on the machine. This version of Agent Tesla pings the operator every 20 minutes, sending them any new input detected.
In addition to this, the attack also hijacks any bitcoin wallet on the victim's device. By monitoring activity on the machine and the abuse of PowerShell code, the attacker can monitor for a valid bitcoin address. If this is spotted, the code modifies the bitcoin address and changes it to one owned by the attacker, allowing them to steal cryptocurrency transfers.