“Bignosa” & “Gods”: Behind the Agent Tesla Attacks

A recent comprehensive study conducted by specialists at Check Point has illuminated the shadowy underbelly of cyberspace, uncovering the operations and identities of malefactors wielding the malicious software Agent Tesla.

Agent Tesla is an advanced Remote Access Trojan (RAT) that specializes in the theft and infiltration of confidential information from infected machines. A campaign involving this malicious software, targeting organizations in the United States and Australia, was recently uncovered, having commenced on November 7, 2023. The campaign is attributed to two cybercriminals known by the aliases “Bignosa” and “Gods,” who utilized phishing campaigns to disseminate the malware.

Employing spam emails disguised as business propositions, the malefactors distributed Agent Tesla, cloaked as innocuous attachments. Through their investigation, Check Point experts were able to trace the activities of these culprits, determining that the primary individual, “Bignosa,” is part of a group engaged in malicious campaigns and phishing, with a majority of the servers used for distributing Agent Tesla under this group’s control.

The Check Point report particularly highlights the Cassandra Protector tool, employed to camouflage malicious code and convert it into ISO images, thereby increasing the likelihood of successfully compromising target machines. This tool boasts capabilities for evading antivirus detection, emulation, and can register itself in the Windows task scheduler to ensure persistence.

A meticulous analysis of information related to “Bignosa” and “Gods,” including IP addresses, email addresses, phone numbers, cryptocurrency transactions, and profiles on Jabber, Skype, LinkedIn, and Instagram, which have surfaced online, aided researchers in unveiling the real identities of the malefactors.

The first, “Bignosa,” was identified as Nosahare Godson, a resident of Kenya with an extensive history of using Agent Tesla and conducting phishing attacks. The second, Kingsley Fredrick, known under the pseudonyms “Gods” and “Kmarshal,” of Nigerian origin but educated in a Turkish university, has been linked to phishing and malicious campaigns since March 2023. His current whereabouts remain uncertain.

Initially, the cooperation between the hackers was viewed solely as a mentor-apprentice relationship, with “Gods” frequently aiding “Bignosa” in configuring Agent Tesla instances and in eradicating traces of infection after unintentional activations. However, subsequent findings suggest a closer collaboration, with the hackers operating as a unified group.

Thus, the numerous digital breadcrumbs left by cybercriminals online enabled researchers to uncover their identities, reconstruct their actions, and delve into their day-to-day operations. It turns out, that even the smallest and seemingly insignificant data fragments can contribute to the overall picture and unveil truths the culprits would rather keep concealed.

Check Point experts have stated their close collaboration with law enforcement in conducting their investigation, hence it is only a matter of time before the cybercriminals face official charges and arrest.

This study underscores the importance of vigilance in cybersecurity and demonstrates how thorough analysis of digital traces can aid in threat identification.

Regarding Agent Tesla, to minimize the risks of infection by this and similar malicious software, it is recommended to promptly update operating systems and applications, exercise caution with unexpected emails, and enhance awareness of cyber threats.

As reported, Check Point will continue to actively monitor cybercriminal activity and collaborate with law enforcement agencies to prevent future attacks.