By Edmund Brumaghin and other Talos researchers.

Executive summary

Cisco Talos recently identified a large number of ongoing distribution campaigns linked to a threat actor we’re calling “SWEED,” including such notable as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that’s been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we’ve seen in the past in the way that it is packed, as well as how it infects the system. In this post, we’ll run down each campaign we’re able to connect to SWEED, and talk about some of the actor’s tactics, techniques and procedures (TTPs).

Read More >>

Share:



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here