Agent Tesla is a .NET based trojan and credential stealer first seen in 2014. This family gained huge momentum during the 2020 pandemic. This software is sold for a few tens of dollar, with support from the authors:
Most of the time, the attack vector is a targeted malicious email, in many cases sent from a compromised account. This email contains either an attachment or a link downloading the malware on the victim computer. Office document have been widely used, in some cases leveraging vulnerabilities such as CVE-2017-11882 and CVE-2017-8570.
Agent Tesla has evolved over the years to become a full fledge credential stealer. It continues to be widely used, and a primary concern for any business.
This is an analysis of a malware sample collected by Gatewatcher Threat Intelligence team LastInfoSec on Wednesday 12 / 01 / 2022 : a .NET packed Agent TESLA trojan, originally obtained on discord at the following address:
https://cdn.discordapp.com/attachments/912530426499825698/930269593509974076/AWD_Notification_of_shipment_983567419.pdf.7z
This article will present a general overview of the sample, the complete analysis can be found HERE.
Packer analysis
The packer is composed of 3 files embedded inside one another, in addition to the final payload. All the successive packer payloads are 32 bits .NET 4.0 DLL, stored inside PE resources as PNG pictures or base64 text.
The following graphics shows the general unpacking steps:
The first 2 binaries (main exe and PrivateBinPath.dll) have a very small amount of malicious code. Most of the code comes from legitimate software and GitHub repositories and has been heavily obfuscated. 2 PNG pictures are used to store DLL, both are encrypted with simple XOR loops. The third file (UI.dll) handles some malicious functionality: persistence, sandbox and VM detection, and final payload injection in a legitimate process.
Payload analysis
This schema shows the complete execution flow of the payload we analyzed:
This payload is mainly a credential stealer. It can retrieve credentials from a long list of software:
- Web Browsers (48 different): Opera, Firefox, Chrome, Yandex, Iridium, Chromium, torch Browser, Chedot, Elements Browser, IceCat, waterfox, etc …
- FTP clients: FTP navigator, Core FTP, WinSCP, IPswitch FTP, FileZilla, smartFTP, FTPGetter
- VNC clients: RealVNC, TightVNC, cFTP
- Mail clients: Opera mail, Thunderbirds, Claws mail, IncrediMail, Postbox, MailBird, Outlook, Foxmail, Pocomail
- Database Software: MySQLworkbench
- VPN software: NordVPN, OpenVPN
- Windows credential vaults
Il can also copy files from the browsers (SQLite cookie databases), can be configured to act as a keylogger and send back screen captures to its operator. A remote code execution feature is also present but was disabled in all the samples we came across.
4 methods can be configured to exfiltrate the information:
- SMTP: an email account sends a mail to itself
- FTP: files are uploaded to a remote server
- HTTP: uses a multipart POST request to send a file (like FTP)
- HTTP/TOR: this method can be configured to download and use TOR as a local proxy. The HTTP request itself has an added layer of encryption (TripleDES).
In the complete document, you’ll find :
- The detail of all packer and payload functionalities;
- A complete analysis of the network exfiltration methods;
- YARA rules to detect both the packer and payload;
- Suricata rules detecting the payload communication not spotted by Emerging Threat Pro ruleset.
Author : Jérémy Beaume