The NJCCIC observed multiple phishing campaigns sent from both US and non-US top-level domains (TLD) to New Jersey State employees in an attempt to deliver the AgentTesla malware, an advanced backdoor with keylogging capabilities used to steal credentials and exfiltrate data. They purport to be quotes for medical supplies or non-specific items listed in the body of the email. They also contain attachments as compressed executables (LZH and TAR.GZ files) and JPG files with keywords referencing “device images” and “new order-po.” These attachments claim to be quotes, specifications, or photos of the items that, if clicked, launch the executable to install AgentTesla. Additionally, emails contain spelling and grammatical errors and do not have personalized greetings.

What Should I Do?

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised
to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders.

If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, before taking action. Additionally, visit websites directly by manually typing the legitimate URL into a browser, and refrain from navigating to online accounts via links delivered in emails. Phishing emails and other malicious cyber activity can be reported to the FBI Internet Crime Complaint Center (IC3) and the NJCCIC. For any further questions, contact us here at Cyber Command.