Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration.
During the past months, we have found a resurgence of this malware being distributed via spam, as a payload of other threats, and as attachments to the malspams themselves. In this blog, we present three recent, yet quite different, spam campaigns leading to this threat. The first two campaigns deliver Agent Tesla via interesting downloader attachments whereas the third one distributes Agent Tesla directly in the malspams. The Agent Tesla samples we observed send the stolen information through SMTP and FTP.
1st CAMPAIGN: Through a PowerPoint Slide Show (PPSX) Loader
The malspams relating to the first campaign contain a PPSX attachment that exploits an old vulnerability - CVE-2017-0199 which allows attackers to perform remote code execution using Windows Object Linking and Embedding (OLE).
The offending object inside the attachment AS_FedEx_AWB_00117980920AS.ppsx is slide1.xml.rels. It contains a script moniker that, when triggered, executes a PowerShell command.
Once the PowerPoint file is opened, it initializes the script moniker and runs the encoded PowerShell script. Decoding the PowerShell script reveals that it downloads an executable hosted at discordapp[.]com, saves it to the %appdata% folder as NPHBEK.exe, then executes it.
The downloaded file %appdata%/NPHBEK.exe is the Agent Tesla malware. It exfiltrates data via SMTP. The data includes the username, computer name, and other system information. In addition to that, stolen data will also be included in the email such as key captures, and stolen credentials.
Attacker’s email address: email@example.com
SMTP server: smtp.privateemail.com
2nd CAMPAIGN: Downloaded via a Compiled HTML (CHM) File
A Compiled HTML (CHM) Help file contains a collection of HTML pages with an index compressed into a binary format. This file format is mainly used for documentation and help guides. On rare occasions, this file format is also used by cybercriminals to distribute malware. This second spam campaign has a CHM file contained inside an archive attachment, paving the way to the distribution of Agent Tesla.
The CHM attachment 70127_YK90054_Consulta_del_cliente.chm has one HTML object. When the CHM file is executed, the HTML object d5sd00.htm will be loaded by the Microsoft Help Viewer (hh.exe). As the HTML Help window shown in Fig. 6 is displayed, the malicious behavior of the CHM attachment starts to manifest in the background.
The second PowerShell code contains 2 binaries – the first is the waves.dll file which is obfuscated and the second is the GZip archive containing the Agent Tesla executable. When this second-stage PowerShell runs, the binary waves.dll will inject the Agent Tesla malware into MSBuild.exe.
In this Agent Tesla sample, the exfiltrated data will be delivered via FTP.
3rd CAMPAIGN: The “AstraZeneca” Agent Tesla
In the early days of the Coronavirus pandemic, we observed one of the malwares commonly distributed via this theme was Agent Tesla. Recently, we have seen another spam campaign taking advantage of the pandemic.
Attached to the emails is a RAR or ZIP archive file containing an executable file. The executables we gathered from the malspams are .Net compiled around 700-900KB in size. Statically examining the executables, we noticed the file properties were associated with the company AstraZeneca, one of the Coronavirus vaccine makers.
Using the tool DNSpy, we observed that the .Net files shown in Fig. 11 were compiled on the same day the malspams were distributed. As the executables have encrypted data in the next section, we used the tool MegaDumper to extract the objects wrapped in them. The extracted objects are .Net Agent Tesla malware of which some were compiled a month earlier.
Just like in the first campaign, the data stolen from the infected system will be exfiltrated via SMTP.
AS_FedEx_AWB_00117980920AS.ppsx (31586 bytes)
70127_YK90054_Consulta_del_cliente.chm (12117 bytes)
hxxp://egen[.]com[.]tr/7F[.]jpg (879190 bytes)
hxxps://cdn[.]discordapp[.]com/attachments/775445531627356172/793434227491733544/v4[.]exe (1969440 bytes)
Quotation Query for supply of selected list items. Ukraine chamber of commerce.exe (818688 bytes)
Application letter.exe (832512 bytes)
Curriculum vitae.exe (832512 bytes)
RFQ.01.11.021.exe (830464 bytes)
Paymentcopy001#psf.exe (742912 byte)