Agent Tesla: A Lesson in How Complexity Get’s You Under the Radar
July 2, 2020 | Guy Propper
Agent Tesla is a prolific strain of spyware, that is being sold online since 2014. It is advertised in dark-web forums as a legitimate monitoring software not intended for malicious purposes. However, its extensive password extraction features are clearly used for malicious purposes by many actors.
Deep Instinct’s Research Team recently came across a very interesting infection chain found in one of our production sites. The uniqueness of the infection chain is due to its long and inordinately complex process; starting with an RTF document attached to a phishing email, it ends with the dropping of an Agent Tesla executable on the victim machine. The multiple stages of the infection process include the use of OLE Objects within the RTF document and the execution of obfuscated VBA code contained in OOXML packages within the OLE Objects. In turn, the VBA code executes Powershell, which finally drops the malicious executable. Dozens of similar RTF droppers were found to be active very recently, possibly indicating a wide attack wave of Agent Tesla, utilizing this infection process.
The full infection flow is explained in the following diagram:
The infection chain begins with the execution of an RTF file, which arrives as an attachment in a phishing email. Once executed, the user is presented with five consecutive requests to enable macros. The five requests are due to the fact that the RTF contains five embedded OLE objects, which each contain an OOXML package. Inside each OOXML package lies a VBA macro, and when the user enables macros, one of the macros will execute at a time.
The VBA code contained in each of the OOXML packages is rather short and has been designed with many spaces and line breaks to make reading and organizing the code difficult
A snippet of initial spaced VBA code.
To hinder static analysis of the code, the main variable used in the code is contained in a specific cell of the spreadsheet in each OOXML package. The variable is a long obfuscated string, which can be found in xl/sharedStrings.xml in the OOXML package.
Indeed, static analysis tools such as oletools and oledump did not help in providing any details regarding the functionality of the VBA code. In addition, dynamic analysis of the VBA using ViperMonkey was not successful. However, manual debugging of each of the five VBA code parts revealed that each part is responsible for creating part of a PowerShell code, which will form the next stage of the infection process.
A snippet of Powershell code created from the execution of the VBA macro in the first OLE Object.
Once all five parts are run, the resulting Powershell code is executed.
The PowerShell code formed in the previous step is highly obfuscated
Obfuscated Powershell, with a large encoded blob).
After debugging the code, which is deobfuscated through the function af23a, it is still obfuscated, but its function becomes clear – the main purpose of this PowerShell code is to attempt to bypass AMSI, and download a file using WebClient().DownloadFile.
Partially deobfuscated PowerShell code. Red squares are obfuscated strings responsible for AMSI bypass, and blue square is the download URL
The AMSI bypass is attempted through the provision of an empty buffer to the AmsiScanBuffer function – the strings which are relevant to the bypass are the red squares in the above image and can be deobfuscated using function af23a in the PowerShell script. This has already been attempted in the past by a very similar Agent Telsa infection process. The URL which is accessed to download the file, which appears obfuscated as the string '09411248125b1a495b0d044707560e0753075b040c1b05570c4e5b04501804470217030e580416041950', is de-obfuscated to "hxxps://cleranoffacem[.]com/nbhyerd/bomb[.]exe" (blue square in image 4), and the file downloaded from this URL is Agent Tesla, which will be overviewed in the following section.
AgentTesla download and execution
The AgentTesla executable is download from hxxps://cleranoffacem[.]com/nbhyerd/bomb[.]exe to AppData\Roaming\u565.exe. Then, the executable starts performing several tasks:
- Creates a scheduled task using schtasks.exe, to execute the AgentTesla executable.
- Disables task manager through the registry using reg.exe. The specific command used is “REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr”.
- Searches for WIFI passwords using netsh wlan show profile.
- Tries to steal a variety of credentials: putty/WinSCP, browser, FTP, and Mail credentials.
- It then sends stolen credentials to firstname.lastname@example.org, including the credentials Golden@#$2019.
An Earlier Precedent?
It is interesting to note that a very similar infection flow involving an RTF file that contained five OLE Objects was identified in March 2018. In that instance, the file that was dropped following the infection chain was Lokibot. Considering the striking similarity between the two cases, it appears that the attack was either executed by the same actors or created using the same framework. However, we could not find data to further elucidate the greater likelihood of the two options.
In addition, despite this method being several years old, it is apparently still used effectively in the wild, with dozens of similar RTF files found in a recent attack wave.
The sophisticated and complex infection chain covered in this article, while not new, is still being used extensively in the wild. This indicates that a complex attack chain, involving many stages, is not only difficult to analyze but can also help attackers evade detection. In this case, evasion may be achieved through the use of multiple stages, each responsible for only a small portion of the attack, making each stage more difficult to detect. In addition, in this attack, and many other attacks in recent years, internal Windows tools are being abused by the attackers. In this attack, the tools abused were schtasks.exe, reg.exe, and netsh, evidence of the continued trend of attackers to abuse dual-use tools.
Deep Instinct’s customers are protected from this threat, which is prevented at multiple execution stages. The initial RTF dropper was prevented in production pre-execution, using deep learning-based static analysis. Moreover, this RTF dropper was prevented with Deep Instinct’s prediction model (D-Brain) released more than 20 months prior to the appearance of this dropper. If the dropper were to execute, PowerShell execution would be prevented with Deep Instinct’s script protection, and the Agent Tesla executable is prevented both statically using the D-Brain, and dynamically using advanced behavioral analysis protection.
Agent Tesla download URL: hxxps://cleranoffacem[.]com/nbhyerd/bomb[.]exe
Agent Tesla: 756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b
Similar RTF files