Nigeria Scammers Using Agent Tesla Remote Access Trojan (RAT) In Financial Scams

Web Servers Systems Networks Mobile Networks and Telephones
Advisory ID:
June 3, 2022


Interpol recently reported the arrest of Nigerians in financial scams using Agent Tesla during a sting operation conducted by the Economic and Financial Crimes Commission (EFCC). Agent Tesla is a remote access tool (RAT) that enables users to remotely control computers. This tool is available for purchase from its official website, and its developers present it as a legitimate program. As an information-stealer that extracts user credentials stored in web browsers, emails, and File Transfer Protocol (FTP) clients, it has recently surpassed the status of most widely distributed malware. Interpol apprehended three notorious fraudsters in Lagos who used Agent Tesla as part of their Business Email Compromise (BEC) attacks in an operation dubbed "Killer Bee."

Description & Consequence

The malware was allegedly used by the scammers to reroute financial transactions and steal confidential data from oil and gas organizations in South East Asia, the Middle East, and North Africa. The primary mode of distribution is phishing emails with malicious attachments, followed by malicious online advertisements, social engineering, and software 'cracks.' Furthermore, the majority are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, with file names such as (Invoice, Shipment, P.O. – Purchase Order).

A number of samples were gathered and disguised as files with the extensions pdf and xlsx. If the exploit is successful, reconnaissance is carried out and account credentials are stolen in order to carry out a BEC attack.

Once compromised, Agent Tesla can perform the following actions:

  1. Keylogging - it can be used to record system keystrokes.
  2. Screenshotting.
  3. Sniff clipboard data.
  4. Steal browser cookies and passwords.
  5. Victim's identity can be stolen to borrow even more money and send malicious files to people on the contacts list, thus proliferating this RAT (or other malware) even further.
  6. It can also steal data from a variety of applications, including web browsers, VPN clients, email clients, FTP clients, download managers, and so on.


  1. Keep abreast with phishing techniques so as to counter them.
  2. Files/links that do not concern you, and those received from suspicious/unrecognizable email addresses, should not be opened.
  3. Do not save login credentials on web browsers.
  4. Third party downloaders/installers often include rogue apps, and thus such tools should never be used.
  5. Never use software cracking tools since software piracy is a cyber crime and the risk of infections is extremely high.
  6. Use a reputable anti-virus/anti-spyware suite; these tools frequently detect and eliminate malware before it causes harm to the system.



Related Articles