Blue Hexagon Blog

Agent Tesla officially Endorses Trump 2020

With less than a week to go with the 2020 US Presidential Elections, endorsement and campaign ads are everywhere. From Ads on social media to network TV, individuals supporting the respective campaigns are in full swing in the last push before the historical November 3rd election.  

But the one place you least expect to see an endorsement is in a malware campaign. We believe the attack, which appears to have originated in Eastern Europe, first noticed around the start of October; our AI HexNet identified a new variant campaign using Agent Tesla, but what was more interesting was that one of the features flagged had a politically themed context. Namely text that closely resembles an endorsement for the Trump/Pence ticket. 

‘trump2020’

Content of the Strings in the binary

Our initial concerns were around the question(s), if this was a targeted attack and if there was any connection to the attack/defacement on the Trump campaign official website which was also reported around the same time. Based on the results of our analysis, we don’t believe the goal was to target the Democratic party or individuals associated with the Biden election campaign directly. And, despite the fact the timeline for the campaign overlapped with the defacement of the Trump 2020 Campaign website, no association can be made with the attackers behind the defacement of the Trump Campaigns official website. 

President Trump’s campaign website was briefly and partially hacked Tuesday afternoon.

Although we haven’t truly confirmed if the intent of embedding the string Trump2020 by the malware author was with the purpose of an endorsement of the Trump Campaign, the string really serves no other purpose in the code and is never displayed to the infected user. The string remains a mystery only known to its author. 

INDICATORS OF COMPROMISE: 

AGENT TESLA DROPPERS/LOADERS: 

3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6

bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253

cc8103242c41293f02ff2baf8ba6ef57470712ee2b2a99f2be83127409dd50b9

8bc8f11f65265cd267e36dd30710793863582fd6e4c554d50fa5a083d015ced6

5ace35afbf13d16d5b21ae38befde4a0418c4fffabe3c09f06888eb5aa83c063

0b3c7dbc6db21fd7bb89a32278681a2993a000ce08d26defb4257068675bde2d

1c519c262cc38bf65de039edd8fef49da18be90be08f784ab967fb17833d64a8

42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290

dc60d19efe54431f3ce6785737303261afbdf2d93667c0567c2c33a5d0b0086d

0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220

DOMAINS:

mail.albaniandailynews.com                                                                                                      

IP Addresses:

50.116.68.163 over 587