{"id":89020,"date":"2022-02-27T15:46:09","date_gmt":"2022-02-27T10:16:09","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=89020"},"modified":"2023-06-16T17:11:02","modified_gmt":"2023-06-16T11:41:02","slug":"coronavirus-themed-campaign-delivers-agent-tesla-malware-2","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/coronavirus-themed-campaign-delivers-agent-tesla-malware-2\/","title":{"rendered":"Coronavirus-themed Campaign delivers Agent Tesla Malware"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p><strong><b>Summary: <\/b><\/strong>While the whole world fights against the COVID-19 pandemic, cybercriminals are busy exploiting the situation and attacking vulnerable users &amp; businesses. In the last few weeks, there has been a rise in <a href=\"https:\/\/blogs.quickheal.com\/coronavirus-themed-campaign-delivers-agent-tesla-malware\/\">coronavirus<\/a>-themed mail spams, which are being used to deliver a variety of malware. At <a href=\"https:\/\/www.quickheal.co.in\/\">Quick Heal<\/a> Security Labs, we have observed Agent Tesla being delivered through such campaigns \u2014 the main motive of these campaigns is to steal sensitive data by capturing keystrokes, taking screenshots, &amp; dumping browser passwords, etc.<\/p>\n<p><strong><b>Campaign Details: <\/b><\/strong>We have observed a variety of coronavirus-themed Agent Tesla Campaigns. Below are different categories:<\/p>\n<ul>\n<li>Exploiting MS office vulnerability CVE-2017-11882<\/li>\n<li>Exploiting MS office vulnerability CVE-2017-8570<\/li>\n<li>Archives with double extension executable (ZIP, RAR etc.)<\/li>\n<\/ul>\n<h2><strong><b>Variant 1 &#8211; Technical Details<\/b><\/strong><\/h2>\n<p>A victim receives a <a href=\"https:\/\/blogs.quickheal.com\/can-you-spot-a-phishing-email-take-this-test-and-find-out\/\">phishing mail<\/a> with an attachment titled as <strong><em><b><i>&#8220;COVID 19 NEW ORDER FACE MASKS.doc.rtf &#8220;<\/i><\/b><\/em><\/strong><strong><b>.<\/b><\/strong>\u00a0This doc is an RTF file that exploits CVE-2017-11882 which is a stack-based buffer overflow vulnerability present in the Microsoft Equation editor tool. This vulnerability allows the attacker to run arbitrary code and after successful exploitation to deliver the Agent Tesla payload. This dropped payload performs <a href=\"https:\/\/blogs.quickheal.com\/aes-ni-ransomware-adopts-combination-fileless-code-injection-technique\/\">code injection<\/a> in known windows process RegAsm.exe. The injected code in RegAsm.exe performs all info-stealing activity and sends it to the CnC server.<\/p>\n<div id='gallery-1' class='gallery galleryid-89020 gallery-columns-1 gallery-size-full'><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1065\" height=\"432\" src=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.1-Attack-Chain.png\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.1-Attack-Chain.png 1065w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.1-Attack-Chain-300x122.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.1-Attack-Chain-768x312.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.1-Attack-Chain-650x264.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.1-Attack-Chain-789x320.png 789w\" sizes=\"(max-width: 1065px) 100vw, 1065px\" \/>\n\t\t\t<\/div><\/figure>\n\t\t<\/div>\n\n<p>The RTF file is highly obfuscated with several invalid control words and whitespaces. After deobfuscating file, the following API calls are present in this file.<\/p>\n<div id='gallery-2' class='gallery galleryid-89020 gallery-columns-1 gallery-size-full'><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"539\" height=\"361\" src=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.2-Shellcode-in-RTF-file.png\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.2-Shellcode-in-RTF-file.png 539w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.2-Shellcode-in-RTF-file-300x201.png 300w\" sizes=\"(max-width: 539px) 100vw, 539px\" \/>\n\t\t\t<\/div><\/figure>\n\t\t<\/div>\n\n<div id='gallery-3' class='gallery galleryid-89020 gallery-columns-1 gallery-size-large'><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/www.quickheal.com\/blogs\/coronavirus-themed-campaign-delivers-agent-tesla-malware-2\/fig-3-shellcode-in-rtf-file\/'><img loading=\"lazy\" decoding=\"async\" width=\"452\" height=\"390\" src=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.3-Shellcode-in-RTF-file--452x390.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.3-Shellcode-in-RTF-file--452x390.png 452w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.3-Shellcode-in-RTF-file--300x259.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.3-Shellcode-in-RTF-file-.png 537w\" sizes=\"(max-width: 452px) 100vw, 452px\" \/><\/a>\n\t\t\t<\/div><\/figure>\n\t\t<\/div>\n\n<p><b>Payload Analysis:<\/b><b>\u00a0<\/b>The .NET payload is downloaded from CVE-2017-11882 exploit. When\u00a0the execution begins,\u00a0it starts decrypting the resource section where the malicious code\u00a0is stored. Using\u00a0the\u00a0process-injection method, it injects its code to\u00a0a genuine Microsoft file,\u00a0RegAsm.exe to bypasses security products. The purpose of this payload\u00a0is to steal sensitive data, log\u00a0user keys and\u00a0to\u00a0send\u00a0this\u00a0data to\u00a0the\u00a0SMTP server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-89102\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2020\/04\/Fig.4-Attack-Chain-1-4-650x292.png\" alt=\"\" width=\"650\" height=\"292\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.4-Attack-Chain-1-4-650x292.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.4-Attack-Chain-1-4-300x135.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.4-Attack-Chain-1-4-768x345.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.4-Attack-Chain-1-4-789x354.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Fig.4-Attack-Chain-1-4.png 1477w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/p>\n<p><b>Variant 2<\/b><b>\u00a0&#8211;\u00a0<\/b><b>Technical Details<\/b><\/p>\n<p>A victim receives a phishing mail with an attachment titled as\u00a0<b><i>&#8220;COVID-19 SUSPECTED AFFECTED VESSEL.doc&#8221;<\/i><\/b>\u00a0OR\u00a0<b><i>&#8220;C<\/i><\/b><b><i>OVID<\/i><\/b><b><i>-19 measures for FAIRCHEM STEED, Voyage (219152).doc&#8221;.<\/i><\/b>\u00a0This doc is an RTF file containing\u00a0OLE2Link object to exploit CVE-2017-8570. This vulnerability triggers the execution of scripts without user interaction. After successful exploitation,\u00a0winword.exe process drops embedded .sct\u00a0file and executes it. The .sct\u00a0file contains code as shown below,\u00a0which executes PowerShell.exe to download and execute payload from a remote server.<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.\u00a04\u00a0Attack\u00a0Chain<\/p>\n<p>&nbsp;<\/p>\n<p>The composite moniker (C6AFABEC197FD211978E0000F8757E2A) is\u00a0present in\u00a0the\u00a0RTF file to execute a .sct\u00a0file on\u00a0the victim\u2019s machine. Due to\u00a0the\u00a0improper handling of objects in memory, office application drops and successfully executes\u00a0scriptlet\u00a0file(.sct) which results in the execution of malicious code present in the .sct\u00a0file.<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.5\u00a0Moniker CLSID and dropped location of .sct\u00a0file<\/p>\n<p>&nbsp;<\/p>\n<p>The following figure shows the\u00a0code\u00a0\u2014\u00a0\u00a0the\u00a0.sct\u00a0file\u00a0contains obfuscated PowerShell code.<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.6\u00a0Obfuscated .sct\u00a0file<\/p>\n<p><b>Payload Analysis:<\/b><b>\u00a0<\/b>The .NET payload is downloaded by\u00a0the\u00a0above CVE-2017-8750\u00a0exploit. When execution starts, it checks for\u00a0an\u00a0own instance,\u00a0and if found,\u00a0it throws an exception and terminates itself. If not found, it starts decrypting the resource section where the malicious\u00a0dll\u00a0is stored. Self-injection method is used to inject a\u00a0dll\u00a0in\u00a0an\u00a0own file. When a new instance of self-process gets started, it drops a shortcut\u00a0(.lnk) file at startup to establish persistence and changes the attributes of own file to\u00a0hidden. The purpose of this payload\u00a0is to steal sensitive data, log\u00a0user keys and send data to\u00a0the\u00a0SMTP server.<\/p>\n<p>&nbsp;<\/p>\n<p><b>Variant 3<\/b><b>\u00a0&#8211;\u00a0<\/b><b>Technical Details<\/b><\/p>\n<p>A victim receives\u00a0a\u00a0phishing mail that carries archived\u00a0attachments\u00a0of different types like ZIP, RAR,\u00a0etc.\u00a0with a name such as\u00a0<b><i>&#8220;COVID-19 Supplier Notice.zip&#8221;.<\/i><\/b>\u00a0This malicious archived\u00a0attachment will then\u00a0extract\u00a0\u00a0AutoIT-compiled version of Agent Tesla malware with\u00a0a\u00a0name\u00a0such\u00a0as\u00a0<b><i>&#8220;COVID-19 Supplier Notice.jpg.exe&#8221;<\/i><\/b>. When this payload starts,\u00a0it performs code injection in a known Windows process,\u00a0RegAsm.exe. \u2014\u00a0 after the successful\u00a0execution, the payload starts\u00a0the\u00a0info-stealing activity.<\/p>\n<p>&nbsp;<\/p>\n<p>FIg.\u00a07\u00a0Attack\u00a0Chain<\/p>\n<p>&nbsp;<\/p>\n<p><b>Payload Analysis:<\/b><b>\u00a0<\/b>When\u00a0the\u00a0execution\u00a0is\u00a0started, it creates\u00a0a\u00a0.URL file at startup location\u00a0which contains\u00a0a\u00a0link to\u00a0a .VBS file dropped at \u2018srdelayed\u2019\u00a0location.\u00a0The self-copy in \u2018srdelayed\u2019\u00a0folder\u00a0is\u00a0created at\u00a0the\u00a0same location from where file execution\u00a0has begun.\u00a0It starts\u00a0decrypting resource section where the\u00a0actual\u00a0malicious code\u00a0is stored.\u00a0Here,\u00a0AutoIt\u00a0resource section contains .NET code and using Process-injection method, it\u00a0injects\u00a0its code to Microsoft genuine file RegAsm.exe,\u00a0also\u00a0a .NET file.\u00a0The purpose of this payload is to steal sensitive data, log\u00a0user keys\u00a0and perform\u00a0data\u00a0exfiltration over SMTP.<\/p>\n<p>&nbsp;<\/p>\n<p><b>Final<\/b><b>\u00a0Stage<\/b><b>\u00a0Payload Analysis:<\/b><b>\u00a0<\/b>Below is the analysis of the first variant\u00a0which is very\u00a0similar to\u00a0the\u00a0other two\u00a0variants.<\/p>\n<p>The malicious code is stored in\u00a0the\u00a0resource section of the binary.<\/p>\n<p>Fig.\u00a08\u00a0Resource Section<\/p>\n<p>&nbsp;<\/p>\n<p>After\u00a0data\u00a0decryption in memory,\u00a0dll\u00a0gets loaded and\u00a0it again\u00a0starts to decrypt a final malicious code in memory\u00a0which further injects\u00a0into self or\u00a0in a\u00a0RegAsm.exe process.<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.\u00a09\u00a0Decryption of .NET code<\/p>\n<p>&nbsp;<\/p>\n<p>After self-injection of this decrypted code, it starts collecting system\u00a0information\u00a0like\u00a0Username,\u00a0Computername,\u00a0OSFullName\u00a0and other basic\u00a0information.\u00a0It also starts\u00a0to\u00a0steal\u00a0the\u00a0data\u00a0from\u00a0browsers. It has\u00a0up to 25\u00a0hardcoded lists of browsers along with their path out of which few\u00a0are as mentioned below &#8211;<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.\u00a010\u00a0Browser Lists<\/p>\n<p>It also has\u00a0a list of email clients along with their\u00a0paths\u00a0from where it steals\u00a0email\u00a0data\u00a0and sends to its\u00a0CnC\u00a0Server.<\/p>\n<p>The payload\u00a0can\u00a0capture the screenshots of\u00a0the current window in a JPG format\u00a0with some time interval.\u00a0 The\u00a0captured\u00a0image as the one seen below is sent\u00a0to\u00a0the email server\u00a0by creating\u00a0an\u00a0SMTP client.<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.\u00a011\u00a0SMTP client details<\/p>\n<p>&nbsp;<\/p>\n<p>The image is sent\u00a0to one hardcoded\u00a0email ID,\u00a0<b><i>\u2018amani@planetships.net\u2019<\/i><\/b><b><i>\u00a0<\/i><\/b>with subject name as\u00a0SC_&lt;username&gt;\u00a0 with a message body containing\u00a0the information of victim\u2019s system and\u00a0the captured image\u00a0as\u00a0an\u00a0attachment.<\/p>\n<p>Copying data from\u00a0the\u00a0clipboard is another\u00a0functionality\u00a0of this payload\u00a0\u2014\u00a0it stores all the\u00a0copied data\u00a0in\u00a0an\u00a0array.<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.\u00a012\u00a0Getting a\u00a0copy\u00a0of the\u00a0clipboard data<\/p>\n<p>&nbsp;<\/p>\n<p>Keylogging activity is present in this payload\u00a0\u2014\u00a0it first checks for the keyboard layout\u00a0post which it\u00a0captures\u00a0all the keyboard events.<\/p>\n<p>&nbsp;<\/p>\n<p>Fig.\u00a013\u00a0Getting the details of the keyboard keys<\/p>\n<p><b>Protection by Quick Heal<\/b><\/p>\n<p>Our\u00a0advanced\u00a0signature-less\u00a0Behavior-Based detection\u00a0successfully\u00a0blocks\u00a0all\u00a0known Agent\u00a0Tesla\u00a0variants.<\/p>\n<div id='gallery-4' class='gallery galleryid-89020 gallery-columns-1 gallery-size-full'><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/www.quickheal.com\/blogs\/coronavirus-themed-campaign-delivers-agent-tesla-malware-2\/final-8\/'><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"337\" src=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2020\/04\/Final.gif\" class=\"attachment-full size-full\" alt=\"\" \/><\/a>\n\t\t\t<\/div><\/figure>\n\t\t<\/div>\n\n<p><b>Conclusion<\/b><\/p>\n<p>Actors behind\u00a0these campaigns\u00a0are\u00a0capitalizing on\u00a0the global Coronavirus panic to distribute\u00a0Agent\u00a0Tesla\u00a0malware\u00a0and steal sensitive user information. Quick Heal advises users to\u00a0exercise ample caution\u00a0and avoid\u00a0opening attachments &amp; clicking on web links in unsolicited emails. Users should also keep their Operating System\u00a0updated and have a full-fledged security solution installed on all devices<\/p>\n<p>Quick\u00a0Heal\u2019s\u00a0research team\u00a0is\u00a0proactively monitoring\u00a0all\u00a0campaigns related to COVID-19 and\u00a0working relentlessly to\u00a0ensure\u00a0the safety of\u00a0our\u00a0customers.<\/p>\n<p>&nbsp;<\/p>\n<p><b>MITRE ATT&amp;CK TIDs<\/b><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Tactic<\/b><\/td>\n<td><b>Technique<\/b><\/td>\n<\/tr>\n<tr>\n<td>Initial Access<\/td>\n<td>Spearphishing\u00a0Attachment<\/td>\n<\/tr>\n<tr>\n<td>Initial Access<\/td>\n<td>Spearphishing\u00a0Link<\/td>\n<\/tr>\n<tr>\n<td>Execution<\/td>\n<td>Execution through API<\/td>\n<\/tr>\n<tr>\n<td>Execution<\/td>\n<td>Exploitation for Client Execution<\/td>\n<\/tr>\n<tr>\n<td>Execution<\/td>\n<td>PowerShell<\/td>\n<\/tr>\n<tr>\n<td>Execution<\/td>\n<td>Scripting<\/td>\n<\/tr>\n<tr>\n<td>Persistence<\/td>\n<td>Registry Run Keys \/ Startup Folder<\/td>\n<\/tr>\n<tr>\n<td>Defence\u00a0Evasion<\/td>\n<td>Obfuscated Files or Information<\/td>\n<\/tr>\n<tr>\n<td>Defence\u00a0Evasion<\/td>\n<td>Process Hollowing<\/td>\n<\/tr>\n<tr>\n<td>Defence\u00a0Evasion<\/td>\n<td>Scripting<\/td>\n<\/tr>\n<tr>\n<td>Credential Access<\/td>\n<td>Credential Dumping<\/td>\n<\/tr>\n<tr>\n<td>Credential Access<\/td>\n<td>Credentials in Files<\/td>\n<\/tr>\n<tr>\n<td>Discovery<\/td>\n<td>Query Registry<\/td>\n<\/tr>\n<tr>\n<td>Discovery<\/td>\n<td>System Information Discovery<\/td>\n<\/tr>\n<tr>\n<td>Collection<\/td>\n<td>Clipboard Data<\/td>\n<\/tr>\n<tr>\n<td>Collection<\/td>\n<td>Input Capture<\/td>\n<\/tr>\n<tr>\n<td>Collection<\/td>\n<td>Screen Capture<\/td>\n<\/tr>\n<tr>\n<td>Command And Control<\/td>\n<td>Remote File Copy<\/td>\n<\/tr>\n<tr>\n<td>Command And Control<\/td>\n<td>Standard Application Layer Protocol<\/td>\n<\/tr>\n<tr>\n<td>Exfiltration<\/td>\n<td>Exfiltration Over Alternative Protocol<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><b>IOCs:<\/b><\/p>\n<p>527142E25A8229D1DC910AF23CDB5256 (DOC)<\/p>\n<p>C1B04A9474CA64466AD4327546C20EFC (DOC)<\/p>\n<p>F1E95D1E23A582E4EF8B19E55E21D40E\u00a0(PE)<\/p>\n<p>6D5ED323EF55F7BD34BC193DDC8AFE74 (PE)<\/p>\n<p>C3166A86DBF5B6A95FC723EF639DAD45 (PE)<\/p>\n<p>5[.]189[.]132[.]254<\/p>\n<p>107[.]189[.]7[.]179<\/p>\n<p>&nbsp;<\/p>\n<p><b>Subject Matter Expert:<\/b><\/p>\n<ul>\n<li>Aniruddha Dolas<\/li>\n<li>Pavankumar Chaudhari<\/li>\n<li>Bajrang Mane<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Summary: While the whole world fights against the COVID-19 pandemic, cybercriminals are busy exploiting the situation and attacking vulnerable users &amp; businesses. In the last few weeks, there has been a rise in coronavirus-themed mail spams, which are being used to deliver a variety of malware. At Quick Heal Security Labs, we have observed [&hellip;]<\/p>\n","protected":false},"author":38,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1725,24,293,1395],"tags":[1733,1721,534],"class_list":["post-89020","post","type-post","status-publish","format-standard","hentry","category-coronavirus","category-malware","category-spam","category-vulnerability","tag-agenttesla","tag-coronavirus","tag-cybersecurity"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89020"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/38"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89020"}],"version-history":[{"count":7,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89020\/revisions"}],"predecessor-version":[{"id":91572,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89020\/revisions\/91572"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89020"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}