LATAM Under Siege: Agent Tesla’s 18-Month Credential Theft Campaign Against Chilean Enterprises

What Happened

A long-running cyberattack campaign is targeting businesses in Latin America, especially Chile, by sending fake purchase orders and payroll documents. When an employee opens the attached file, a hidden program called Agent Tesla is installed on their computer to steal passwords from web browsers, email accounts, and other business tools. This stolen information can lead to financial fraud, unauthorized access to company systems, and data breaches. Organizations should train employees to spot suspicious financial documents and use advanced security tools to catch this hidden threat.

Key Takeaways

• An 18-month Agent Tesla campaign is actively targeting LATAM enterprises, specifically in Chile, using procurement and finance-themed lures.
• The attack utilizes a multi-stage loader protected by .NET Reactor 6.x and employs Process Hollowing to evade static detection.
• The final Agent Tesla payload executes entirely in memory (fileless) and harvests credentials from over 80 applications.
• Data exfiltration occurs via cleartext FTP to compromised legitimate infrastructure, specifically a Romanian hospitality server.
• The malware performs pre-exfiltration victim fingerprinting using ip-api.com to avoid sandboxes and hosting providers.

Affected Systems

• Windows
• Web Browsers (Chrome, Firefox, Edge, etc.)
• Email Clients (Outlook, Thunderbird, etc.)
• FTP Clients
• VPN Clients

Attack Chain

The attack begins with a spear-phishing email containing a RAR archive disguised as a PDF (e.g., Orden de compra_pdf.uu). Extracting the archive reveals a JScript Encoded (.jse) dropper that downloads a decoy PDF and drops randomized PowerShell stagers to the C:\Temp\ directory. The PowerShell stager executes with an execution policy bypass, injecting a .NET Reactor-protected loader (ALTERNATE.dll) into the legitimate aspnet_compiler.exe process via Process Hollowing. Finally, the Agent Tesla payload is decrypted and executed entirely in memory, harvesting credentials from over 80 applications and exfiltrating the data via cleartext FTP to a compromised server.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: Yes
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Suricata, YARA, Sigma

The article provides Suricata rules for detecting FTP exfiltration and hosting provider checks, a YARA rule for identifying the ALTERNATE.dll loader, and a Sigma rule for detecting process hollowing into aspnet_compiler.exe.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs may struggle with the in-memory execution and .NET Reactor obfuscation, but should catch the process hollowing into aspnet_compiler.exe and the execution of PowerShell with bypass flags. Network Visibility: High — The exfiltration occurs over cleartext FTP, making the authentication handshake, C2 hostname, and exfiltrated data highly visible to network monitoring tools. Detection Difficulty: Moderate — While the static payload is heavily obfuscated and fileless, the behavioral indicators (process hollowing, cleartext FTP, specific API checks) provide reliable detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• Network Connections (Sysmon Event ID 3)
• PowerShell Operational Logs (Event ID 4104)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for powershell.exe spawning aspnet_compiler.exe, which may indicate process hollowing.	Process Creation	Execution/Defense Evasion	Low
If you have network visibility, consider hunting for outbound FTP traffic (port 21) containing STOR commands with 'PW_' prefixes.	Network Traffic	Exfiltration	Low
Consider hunting for HTTP GET requests to ip-api.com/line/?fields=hosting originating from non-browser processes.	Network Traffic	Discovery	Medium

Control Gaps

• Static Antivirus
• Email gateways relying solely on file extensions

Key Behavioral Indicators

• aspnet_compiler.exe making outbound network connections
• PowerShell executing scripts from C:\Temp\ with randomized 8-character names
• Cleartext FTP traffic containing HTML-formatted credential reports

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking outbound connections to the identified FTP C2 IP (89.39.83.184) and domain (ftp.horeca-bucuresti.ro).
• Evaluate whether to quarantine emails containing attachments with .uu, .jse, or .vbe extensions, especially within archives.

Infrastructure Hardening

• If applicable, consider restricting outbound FTP (port 21) traffic from user endpoints to the internet.
• Evaluate implementing strict execution policies for PowerShell and monitoring for bypass attempts.

User Protection

• Consider deploying EDR solutions capable of detecting process hollowing and in-memory execution.
• If supported by your tooling, evaluate blocking macro-enabled Office files from external senders.

Security Awareness

• Consider training finance and procurement teams to identify suspicious purchase order and payroll lures.
• Evaluate incorporating the verification of sender identities for financial documents into existing awareness programs.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1027 - Obfuscated Files or Information
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1055.012 - Process Injection: Process Hollowing
• T1027.002 - Obfuscated Files or Information: Software Packing
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
• T1082 - System Information Discovery
• T1016 - System Network Configuration Discovery

Additional IOCs

• Ips:
  • 208[.]95[.]112[.]1 - ip-api.com IP used for victim fingerprinting
• Domains:
  • email[.]v[.]todotramitesperu[.]com[.]elgartizocon[.]ro - Email relay infrastructure
  • email[.]elrif[.]com - Email relay infrastructure
• Urls:
  • hxxp://ip-api[.]com/line/?fields=hosting - Pre-exfiltration hosting check URL
  • fxp://ftp[.]horeca-bucuresti[.]ro - FTP C2 exfiltration endpoint
• File Hashes:
  • A7EEEAD9C868D9944ED1C1F113328F32 (MD5) - RAR dropper
  • B50B3800B17AD7AD5C4483C0B6B24D1D151A9D10 (SHA1) - RAR dropper
  • CD83F5CEB2D014BADFA991106A9D37A6AEAB9043D60D796AD0F16D36CDFA5703 (SHA256) - PowerShell stager (all variants)
  • 78ba57f4a164bedc26204296ea09bb8f (MD5) - Decrypted payload
• Registry Keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Registry Run key used for persistence
• File Paths:
  • C:\Temp\[A-Z]{8}.ps1 - Dropped stager pattern (regex)
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ - Startup folder persistence location
  • 7bcd610d-7af6-4dc2-875b-dc4fec91463c.exe - GUID filename used for autorun copy
  • ALTERNATE.dll - Internal loader identifier
• Command Lines:
  • Purpose: Execute PowerShell stager with execution policy bypass | Tools: powershell.exe | Stage: Execution | -ExecutionPolicy Bypass
• Other:
  • hdfzpysvpzimorhk - Secondary anti-re-infection mutex
  • HnJnO - Campaign tag / build identifier