BlueVoyant Identifies Malspam Campaign Targeting Spanish Companies

BlueVoyant’s Threat Fusion Cell (TFC) is currently monitoring a malicious campaign we have named “Iberian Infiltrator,” targeting Spanish companies with phishing emails that deliver malware. The carefully crafted phishing emails have drawn attention due to the campaign's use of malware called “Agent Tesla.” 

Campaign Details 

The attackers start by sending 'spear phishing' emails to employees of targeted companies. They pretend to be reputable Spanish businesses, such as Ofitec S.A, Banco Santander, and Santander Factoring y Confirming. The emails, written in Spanish, use various themes related to invoices, financial transactions, bank notifications, and other business topics to lure recipients into opening malicious attachments. In some cases, the attackers address the emails to specific employees in billing or invoicing roles, demonstrating the potentially targeted nature of the attack. 

These emails carry harmful attachments disguised as compressed archives (like 'Facturas Marzo.gz') and image files. When the recipient opens the archive, they unintentionally run a hidden file that installs the “Agent Tesla” malware onto their computer. 

Once “Agent Tesla” is installed, the malware starts stealing sensitive information from the infected system, such as keystrokes, screenshots, and user credentials. This stolen data is then sent to the attackers via a secret Telegram bot, taking advantage of the messaging platform's anonymity and encryption features to conceal the data transfer. 

Targeting Spain 

Analysis of the “Agent Tesla” samples used in the Iberian Infiltrator campaign reveals the presence of Spanish-language strings, suggesting that the variant may be purpose-built for targeting Spanish-speaking victims. 

The campaign has impacted companies across various industries in Spain, including manufacturing and industrial, technology and engineering, energy, plastics and materials distribution, and banking and finance. The broad targeting suggests the attackers are not focusing on a specific vertical but rather compromising Spanish entities across multiple sectors. 

The campaign's objectives remain unclear but appear to be financially motivated, with the attackers likely aiming to monetize the stolen data on criminal markets or use it to facilitate further attacks. The threat actor's proficiency in Spanish and familiarity with regional business operations, coupled with the use of Spanish-themed lures and local infrastructure, indicates a possible connection to Spain or the Spanish-speaking world. However, this cannot be definitively confirmed based on currently available evidence. 

How to Help Protect Your Organization 

To help protect against the Iberian Infiltrator campaign, organizations need to adopt a multi-layered security approach, which includes: 

1. Providing regular user-awareness training on identifying and reporting suspicious emails and attachments 
2. Implementing robust email filtering solutions to block malicious attachments and links 
3. Deploying and maintaining up-to-date antivirus software on all endpoints 
4. Implementing endpoint detection and response (EDR) solutions to detect and respond to malware infections in real-time 
5. Monitoring network traffic for anomalous activity, such as data exfiltration to unusual destinations or via uncommon protocols 
6. Enforcing strong password policies and implementing multi-factor authentication (MFA) to minimize the impact of stolen credentials 
7. Regularly backing up critical data and systems to enable rapid recovery in case of a successful attack

Defenders should be particularly alert for Spanish-language spear phishing emails impersonating known brands, containing malicious attachments, and originating from suspicious infrastructure. 

Sources: 

• TFC derived reporting 
• Broadcom Security Center's Protection Bulletin

Associated MITRE Techniques  

• T1566.001 - Phishing: Spearphishing Attachment  
• T1204.002 - User Execution: Malicious File 
• T1027 - Obfuscated Files or Information  
• T1027.002 - Obfuscated Files or Information: Software Packing  
• T1056.001 - Input Capture: Keylogging  
• T1113 - Screen Capture  
• T1003 - OS Credential Dumping  
• T1003.001 - OS Credential Dumping: LSASS Memory  
• T1003.002 - OS Credential Dumping: Security Account Manager  
• T1003.003 - OS Credential Dumping: NTDS  
• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage  
• T1071.001 - Application Layer Protocol: Web Protocols  
• T1041 - Exfiltration Over C2 Channel  
• T1082 - System Information Discovery 
• T1036.004 - Masquerading: Masquerade Task or Service  
• T1059.001 - Command and Scripting Interpreter: PowerShell  
• T1059.005 - Command and Scripting Interpreter: Visual Basic  
• T1140 - Deobfuscate/Decode Files or Information