Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Many Roads Leading To Agent Tesla

Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration.

During the past months, we have found a resurgence of this malware being distributed via spam, as a payload of other threats, and as attachments to the malspams themselves. In this blog, we present three recent, yet quite different, spam campaigns leading to this threat. The first two campaigns deliver Agent Tesla via interesting downloader attachments whereas the third one distributes Agent Tesla directly in the malspams. The Agent Tesla samples we observed send the stolen information through SMTP and FTP.

 

Figure 1
Figure 1: The process flow of spam campaigns leading to Agent Tesla malware

 

 

1st CAMPAIGN: Through a PowerPoint Slide Show (PPSX) Loader

The malspams relating to the first campaign contain a PPSX attachment that exploits an old vulnerability - CVE-2017-0199 which allows attackers to perform remote code execution using Windows Object Linking and Embedding (OLE).

 

Figure 2
Figure 2: The malspam containing a PPSX attachment with CVE-2017-0199

 

The offending object inside the attachment AS_FedEx_AWB_00117980920AS.ppsx is slide1.xml.rels. It contains a script moniker that, when triggered, executes a PowerShell command.

 

Figure 3
Figure 3: The PowerShell command at object slide1.xml.rels

 

Once the PowerPoint file is opened, it initializes the script moniker and runs the encoded PowerShell script. Decoding the PowerShell script reveals that it downloads an executable hosted at discordapp[.]com,  saves it to the %appdata% folder as NPHBEK.exe, then executes it.

The downloaded file %appdata%/NPHBEK.exe is the Agent Tesla malware. It exfiltrates data via SMTP. The data includes the username, computer name, and other system information. In addition to that, stolen data will also be included in the email such as key captures, and stolen credentials.

 

Attacker’s email address: b*****@wezbrd.xyz
Password: Ma************di
SMTP server: smtp.privateemail.com

 

Figure 5
Figure 5: The system information sent to the attacker’s email address

 

 

2nd CAMPAIGN: Downloaded via a Compiled HTML (CHM) File

A Compiled HTML (CHM) Help file contains a collection of HTML pages with an index compressed into a binary format. This file format is mainly used for documentation and help guides. On rare occasions, this file format is also used by cybercriminals to distribute malware. This second spam campaign has a CHM file contained inside an archive attachment, paving the way to the distribution of Agent Tesla.

 

Figure 6
Figure 6: The malspam containing the CHM downloader and its display when launched

 

The CHM attachment 70127_YK90054_Consulta_del_cliente.chm has one HTML object. When the CHM file is executed, the HTML object d5sd00.htm will be loaded by the Microsoft Help Viewer (hh.exe). As the HTML Help window shown in Fig. 6 is displayed, the malicious behavior of the CHM attachment starts to manifest in the background.

 

Figure 7
Figure 7: The PowerShell command triggered when CHM is executed

 

The HTML d5sd00.htm contains a Javascript code that will deobfuscate then launch the PowerShell code also enclosed in the HTML file. The PowerShell then retrieves and processes the obfuscated data at hxxp://egen[.]com[.]tr/7F[.]jpg which is again PowerShell code.

 

Figure 8
Figure 8: The data obtained from the URL shown in Fig. 8 and its deobfuscated code

 

The second PowerShell code contains 2 binaries – the first is the waves.dll file which is obfuscated and the second is the GZip archive containing the Agent Tesla executable. When this second-stage PowerShell runs, the binary waves.dll will inject the Agent Tesla malware into MSBuild.exe.

In this Agent Tesla sample, the exfiltrated data will be delivered via FTP.

 

Figure 9
Figure 9: The decrypted Agent Tesla config on the MSBuild.exe memory dump

 

 

3rd CAMPAIGN: The “AstraZeneca” Agent Tesla

In the early days of the Coronavirus pandemic, we observed one of the malwares commonly distributed via this theme was Agent Tesla. Recently, we have seen another spam campaign taking advantage of the pandemic.

 

Figure 10
Figure 10: The malspam containing Agent Tesla and the file property of the executable attachment

 

Attached to the emails is a RAR or ZIP archive file containing an executable file. The executables we gathered from the malspams are .Net compiled around 700-900KB in size. Statically examining the executables, we noticed the file properties were associated with the company AstraZeneca, one of the Coronavirus vaccine makers.

Using the tool DNSpy, we observed that the .Net files shown in Fig. 11 were compiled on the same day the malspams were distributed. As the executables have encrypted data in the next section, we used the tool MegaDumper to extract the objects wrapped in them. The extracted objects are .Net Agent Tesla malware of which some were compiled a month earlier.

 

Figure 12
Figure 12: The executable in Fig. 10 viewed in DNSpy
 
Figure 13
Figure 13: The objects dumped, using the MegaDumper tool, from the executable shown in Fig.10

 

Just like in the first campaign, the data stolen from the infected system will be exfiltrated via SMTP.

 

Figure 14
Figure 14: The code snippet of the SMTP process performed by Agent Tesla NQAkXoqEDGGPBNdSxedbVXswADUBFbJCdBUnmtC.exe shown in Fig. 13

 

IOC

Attachments:

AS_FedEx_AWB_00117980920AS.ppsx (31586 bytes)
SHA1: 02DA2F8F23D468EF2DB4919566A0B43BDABCD656

70127_YK90054_Consulta_del_cliente.chm (12117 bytes)
SHA1: 7CD8B837D6222CCD48F69211D9FB466A8A90A6EC

Download URLs:

hxxp://egen[.]com[.]tr/7F[.]jpg (879190 bytes)
SHA1: 3605BA5E2ED894A89AA64740774FBA6A822E978F

hxxps://cdn[.]discordapp[.]com/attachments/775445531627356172/793434227491733544/v4[.]exe (1969440 bytes)
SHA1: CD9A58B7B81D9469D495CB4600A55F9E3BAAC33D

Agent Tesla:

Quotation Query for supply of selected list items. Ukraine chamber of commerce.exe (818688 bytes)
SHA1: C30DCD540F949691F17B302BFDD862D86A1D93E5

Application letter.exe (832512 bytes)
Curriculum vitae.exe (832512 bytes)
SHA1: BCB01820699431CF926E297E1C6966527CFE6F32

RFQ.01.11.021.exe (830464 bytes)
SHA1: D4CB60FE478B83DA7D483813DD43B32CCA1812C6

Paymentcopy001#psf.exe (742912 byte)
SHA1: C46AB15FAB1E57C251CFB979454693601CBE035C

 

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More