Interpol has announced the arrest of three Nigerian men in Lagos, who are suspected of using remote access trojans (RATs) to reroute financial transactions and steal account credentials.
The international operation, code-named “Killer Bee,” was led by Interpol with the help of law enforcement agencies of 11 Southeast Asian countries.
According to a report published today, the targets of the gang included large corporate organizations and oil & gas firms in the Middle East, North Africa, and Southeast Asia.
However, Interpol did not disclose how much money the gang was able to steal from the victimized organizations.
One of the three arrested men, Hendrix Omorume, faces a one-year imprisonment sentence for possessing fraudulent documents, obtaining money by false pretense, and engaging in impersonation.
The other two men, who are still on trial, only face the single count of possessing fraudulent documents likely used in BEC (business email compromise) attacks.
“The three men, aged between 31 and 38, were each arrested in possession of fake documents, including fraudulent invoices and forged official letters,” mentions the announcement.
Interpol says the laptops and mobile phones of the arrested individuals were examined thoroughly, and the police found signs of Agent Tesla deployment.
Agent Tesla is a RAT that has been around for several years now, serving as a powerful information-stealer and keylogger that can steal credentials stored in web browsers, email clients, FTP, and other software.
Typically, it infects targets via a malicious phishing email that carries a malicious attachment, most recently, PowerPoint documents.
In this case, it is believed that Omorume used Agent Tesla to steal account credentials in target organizations, access email communications, and perform surveillance.
This is required to lay the groundwork for a successful BEC attack, as the malicious actors know when to strike and what convincing details to present the victim with.
It is also worth noting that Agent Tesla is seeing widespread deployment at this time, with a recent ASEC’s malware detection reports putting the malware at the top of the list, above Formbook, RedLine, Lokibot, Wakbot, and AveMaria.