In what can only be explained as a case of karmic irony, a Nigerian scammer accountable for stealing more than 800,000 credentials from some 28,000 victims above the past numerous a long time lately infected his very own equipment with info-stealing malware that resulted in his identity currently being uncovered.
Researchers from Malwarebytes received on his trail when they determined a team they track as “Nigerian Tesla” amid various risk actors concentrating on Ukrainian entities. Malwarebytes experienced tracked the group for a long time initially although it was engaged in a string of so-called 419 progress payment fraud (aka Nigerian letter ripoffs), in which victims get e-mails promising them a generous fee for facilitating a revenue transfer involving a significant sum.
In excess of the past two a long time, Malwarebytes researchers experienced observed the risk actor switching from 419 cons to distributing Agent Tesla, a greatly employed remote-entry Trojan (RAT) for stealing personalized facts from infected units.
Malwarebytes lately discovered Nigerian Tesla attempting to distribute the malware by way of an email with a issue header titled “Final Payment” in Ukrainian. Recipients who clicked on the connection in the e mail had been directed to a file-sharing site, which then downloaded the Agent Tesla binary to the user’s technique.
The attack chain involved the command-and-control server (C2) sending a concept to Agent Tesla on infected methods, intended to confirm that the malware had been appropriately configured for distant communication. In examining the marketing campaign, scientists detected an oddity — several messages made up of the text “Take a look at successful” coming from the attacker’s have equipment. There is only a single rational conclusion: The attacker had somehow managed to self-inflict Agent Tesla malware.
A member of Malwarebytes’ risk intelligence crew tells Dark Examining that the menace actor made various faults: “The most significant one particular was to infect his very own personal computer with the Agent Tesla stealer,” he suggests. “By accomplishing so, all the qualifications from their equipment, saved in prevalent programs these as browsers, were being gathered and exfiltrated. In a feeling, they turned just one more sufferer, but in this circumstance of their own malware.”
An examination of the examination email messages exposed the attacker’s IP address, which then led the researchers down a path that in the long run revealed to them the attacker’s serious identity, deal with, shots, and a copy of his Nigerian driver’s license.
A Path of Bread Crumbs
One particular of the to start with issues Malwarebytes uncovered when investigating the menace actor’s IP address was that he had sent extra than two dozen supplemental e-mail from the exact same IP deal with. The scientists have been unable to figure how the attacker had managed to infect his own technique. But the emails discovered various other companies that the menace actor utilised as aspect of his attack infrastructure.
These involved a company that could be used as a source for victim emails, one more for extracting e-mails from compromised techniques, file hosting and storage expert services, virtual private servers, and VPN and DNS expert services. The researchers also found various assumed names that the Nigerian Tesla team employed in previous email frauds, together with numerous e mail accounts that have been applied in phishing scams and facts theft strategies.
An investigation of the email messages and the personae connected with them confirmed that the Nigerian Tesla team had been engaged in felony cyber things to do likely back again to at the very least 2014. At that time the group was generally engaged in 419 frauds involving e-mail from fictitious individuals going by names these as Rita Bent, Lee Chen, and John Cooper. Malwarebytes uncovered the menace building a change to malware distribution in 2020, and recognized the applications the attacker used to obfuscate their binaries and to examination no matter if they could be detected.
Throughout their investigation Malwarebytes scientists observed a few of pictures of the individual that appeared to have started off the operation, as perfectly as the Agent Tesla-infected person’s driver’s license. Malwarebytes identified the particular person only as “E.K” and as someone born in 1985.