X-Industry

Since the beginning of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures, because they make money.  The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.  Researchers recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals.  The e-mail contained a PowerPoint attachment that is in reality a sophisticated, multi-stage effort to deploy the Agent Tesla RAT (Remote Access Trojan).[1]  What makes this campaign unique is the usage of PPAM, which is a file format that is not very common.  A PPAM is a Microsoft PowerPoint add-in that gives developers extra functionality, such as extra commands, custom macros, and new tools.  

Examining the phishing e-mail - Like so many computer-based attacks, this one began as a phishing e-mail sent to an organization in Ukraine.

Spelling and grammar issues aside, like most good phishing campaigns this one provides a time sensitive statement urging the recipient to urgently review the attached order.

Looking deeper at the e-mail and where it came from, we can see some additional information in the headers.

Figure 3. Parked page.

The e-mail originated at an address of 194[.]99[.]46[.]38 that corresponds to slot0.warongsoto.com.  This is hosted on a run-of-the-mill VPS server.  Visiting the server, we noticed that the site states that the server control panel is controlled by VESTA.  Recent CVE data highlights that Vesta Control Panel is affected by remote command execution and elevation of privilege vulnerabilities that ultimately allow for full compromise of the system (CVE-2020-10786 and CVE-2020-10787).

The domain itself appears to be either abandoned or at least unused with no active content hosted. It was registered in the United States in October 2021.  The originating e-mail address does not appear to reference an actual individual and a search for other instances of this being used elsewhere came up empty.

Examining the dropper – stage 1

Phase 1 - Dropping the final payload occurs in multiple phases, making this, in actuality, a very complex operation.  As shown in Figure 1, attached to the e-mail is the file “order001.ppam”.  This is an add-in file format used by Microsoft PowerPoint that, in this case, contains a malicious macro that acts as a dropper for Agent Tesla.  The first phase of stage 1 begins with opening the PPAM attachment to activate the macro contained within.

Figure 4. Visual Basic macro contained within “order001.ppam”

Once the macro is executed, it will reach out to the URL shortener Bit.ly to download the next phase of the dropper. The address used is: hXXp://www[.]bitly[.]com/awnycnxbcxncbrpopor/

Phase 2 - The call out to Bitly will be redirected to a location on MediaFire – a file hosting site (hXXp://download2261[.]mediafire[.]com/6lcqxbws032g/wctsdmx4dsh95xs/19.htm). As possibly inferred, this was a campaign and not simply directed at one recipient. There were multiple files made available over several days, as shown below in Figure 5.

Figure 5. MediaFire repository showing multiple other files from this campaign.

Each of the files is very similar (with minor tweaks) to the download location of the next step.  Figure 6, below, shows 19.htm as it appears if downloaded directly. 

Figure 6. HTM file as it appears when downloaded

If we arrange the file into a more readable format, we get a better sense of what it is trying to do.

Figure 7. Key part of the HTM file

As seen in Figure 7., the file attempts to taskkill several applications and services followed by adding a scheduled task into the Windows Task scheduler.  The script then attempts to download and execute another file from MediaFire - hXXp://www[.]mediafire[.]com/file/otza6n31talvvle/19.dll.

Phase 3 - While the file extension gives the impression of a Microsoft dynamic link library (.dll), 19.dll is in actuality a PowerShell script containing instructions in a large amount of hexadecimal data.

Figure 8. HTM file as it appears when downloaded

Once executed, the hexadecimal data will be transformed into additional PowerShell commands that will run in memory.  For example, new registry keys will be added to assist with persistence.

Figure 9. Added entries to the Windows Registry

If captured and reviewed, the entries that stand out the most are two large, compressed byte arrays — $nona and $STRDYFUGIHUYTYRTESRDYUGIRI.

Figure 10. Large byte arrays

As can be seen in Figure 10, the byte arrays are then decompressed for use. Once decompressed, these can be saved as executable Windows files.  $nona is the larger of the two and is Agent Tesla.  $STRDYFUGIHUYTYRTESRDYUGIRI will inject Agent Tesla into a running Windows process. 

Renaming 19.dll to 19.ps1 allows it to be executed as a normal PowerShell script.  With this sample, it will attempt to launch and then inject Agent Tesla into the aspnet_compiler.exe application.

Figure 11. On the left, the PowerShell script can be seen to be launching aspnet_compiler.exe

Examining the malware – stage 2 - At its core, Agent Tesla is a keylogger and RAT (Remote Access Trojan).  It will take any results captured from the keyboard and clipboard and send them back to its C2 (Command and Control) server.  

In this instance, once injected into the aspnet­_compiler.exe process Agent Tesla will be up and running.  With entries in the registry, it will have persistence to run even if the host machine is rebooted.

Figure 12. Agent Tesla running inside a debugger

From this point, it will run in the background and observe the user, recording their actions and sending them back to the threat actor.

Figure 13. Typical connection cycle to Agent Tesla’s C2

Conclusion:  Threat actors for the most part like to use lures that are tried and true, as was the case here with the invoicing phishing e-mail, because they continue to enjoy success.  The dropper attached to the phishing e-mail shows the continuing evolution and complexity required to evade modern security controls combined with the need to traverse several gates to arrive at the release point for the final payload.   Once finally deployed to a system, the ability to obfuscate and hide inside everyday files and processes proves that Agent Tesla is a very capable and formidable threat. Unfortunately, this trend towards increasing sophistication is unlikely to abate any time soon.

IOCs:  Sample SHA-256:

Network IOCs:

Mitre TTPs

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla/