AgentTesla campaign engages in cyber-squatting to host and deliver spyware

Researchers at Zscaler recently discovered a new spyware campaign that used cyber-squatting techniques to host, distribute and command-and-control the AgentTesla keylogger via a domain whose name was strikingly similar to Chesapeake, Virginia-based consulting and services firm Diode Technologies.

According to Zscaler, the malicious domain, diodetechs.com, was registered two months prior to the attack, and was only one letter different from Diode Technologies' legitimate domain, diodetech.com. The domain has since been suspended. Diode, whose target customer base includes corporations, government agencies, educational institutions and health-care organisations, was informed of the incident earlier this month.

The campaign infected victims using socially engineered emails with attached documents that were supposedly purchase orders but actually contained malicious macros that installed the AgentTesla payload. Upon downloading, AgentTesla is capable of keylogging, screen capturing and exfiltrating stored passwords. The malware can also terminate various security software programs on a victim's machine and evade sandboxes and virtual environments.

Zscaler's director of security research Deepen Desai confirmed to SCMagazine.com that in one instance, a malicious email purported to come from Diode Technologies. "While we have only seen one instance, it is very likely that they were targeting Diode Technologies customers in this campaign," said Desai in emailed comments.