In what can only be described as a case of karmic irony, a Nigerian scammer responsible for stealing more than 800,000 credentials from some 28,000 victims over the past several years recently infected his own machine with info-stealing malware that resulted in his identity being exposed.
Researchers from Malwarebytes got on his trail when they identified a group they track as “Nigerian Tesla” among numerous threat actors targeting Ukrainian entities. Malwarebytes had tracked the group for years initially while it was engaged in a string of so-called 419 advance fee fraud (aka Nigerian letter scams), where victims receive emails promising them a generous commission for facilitating a money transfer involving a large sum.
Over the past two years, Malwarebytes researchers had observed the threat actor switching from 419 scams to distributing Agent Tesla, a widely used remote-access Trojan (RAT) for stealing personal data from infected systems.
Malwarebytes recently identified Nigerian Tesla attempting to distribute the malware via an email with a subject header titled “Final Payment” in Ukrainian. Recipients who clicked on the link in the email were directed to a file-sharing site, which then downloaded the Agent Tesla binary to the user’s system.
The attack chain involved the command-and-control server (C2) sending a message to Agent Tesla on infected systems, designed to confirm that the malware had been properly configured for remote communication. In examining the campaign, researchers detected an oddity — multiple messages containing the text “Test successful” coming from the attacker’s own machine. There’s only one logical conclusion: The attacker had somehow managed to self-inflict Agent Tesla malware.
A member of Malwarebytes’ threat intelligence team tells Dark Reading that the threat actor made several mistakes: “The biggest one was to infect his own computer with the Agent Tesla stealer,” he says. “By doing so, all the credentials from their machine, stored in common applications such as browsers, were collected and exfiltrated. In a sense, they became just another victim, but in this case of their own malware.”
An examination of the test emails exposed the attacker’s IP address, which then led the researchers down a path that ultimately revealed to them the attacker’s real identity, address, photos, and a copy of his Nigerian driver’s license.
A Trail of Bread Crumbs
One of the first things Malwarebytes discovered when investigating the threat actor’s IP address was that he had sent more than two dozen additional emails from the same IP address. The researchers were unable to figure how the attacker had managed to infect his own system. But the emails revealed several other services that the threat actor used as part of his attack infrastructure.
These included a service that could be used as a source for victim emails, another for extracting emails from compromised systems, file hosting and storage services, virtual private servers, and VPN and DNS services. The researchers also discovered several assumed names that the Nigerian Tesla group used in past email scams, along with numerous email accounts that were used in phishing scams and data theft campaigns.
An investigation of the emails and the personae associated with them showed that the Nigerian Tesla group had been engaged in criminal cyber activities going back to at least 2014. At that time the group was primarily engaged in 419 scams involving emails from fictitious people going by names such as Rita Bent, Lee Chen, and John Cooper. Malwarebytes found the threat making a switch to malware distribution in 2020, and identified the tools the attacker used to obfuscate their binaries and to test whether they could be detected.
During their investigation Malwarebytes researchers found a couple of photos of the individual that appeared to have started the operation, as well as the Agent Tesla-infected person’s driver’s license. Malwarebytes identified the individual only as “E.K” and as someone born in 1985.
