Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers.
The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.


Nelle ultime settimane è stata rilevata una nuova campagna malware contenente Agent Tesla. Di seguito un analisi del malware e dell’infrastruttura offensiva.

Link analisi Sandbox: https://app.any.run/tasks/1f2f6acd-d1a7-4175-a06f-38524a5f9b0d/

Analisi del malware e dell’infrastruttura offensiva


Analisi dinamica

Albero dei processi

Una volta eseguito, il malware esegue l’avvio di due sottoprocessi:

  • schtasks.exe
  • RegSvcs.exe

Il primo viene sfruttato per creare dei task schedulati tramite il comando:

“C:\Windows\System32\schtasks.exe” /Create /TN “Updates\ysZeGjU” /XML “C:\Users\admin\AppData\Local\Temp\tmp9D6C.tmp”

Comando di persistenza

che avvia ad ogni accesso il malware ysZeGjU.exe

Il secondo sample viene identificato come Agent Tesla, tramite tale processo vengono eseguiti tutte le attività del malware:

  • Creazione di chiavi di registro
  • Esfiltrazione di informazioni dai Web Browser
    • C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • Esfiltrazione di informazioni personali dell’utente
    • C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

Dropped files

Durante l’esecuzione del sample avviene l’unpacking e la persistenza del malware. Processo che porta alla creazione di nuovi file:

  • C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe
  • C:\Users\admin\AppData\Roaming\ysZeGjU.exe
  • C:\Users\admin\AppData\Local\Temp\tmpD59.tmp

I file ysZeGjU.exe è l’effettivo malware che verrà poi eseguito ad ogni avvio del computer per ottenere un accesso remoto e persistente.


Chiavi di registro create

Tali chiavi vengono create per poter ottenere la persistenza nel sistema, consentendo l’avvio del malware ad ogni riavvio della macchina.

  • CHIAVE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • NOME NewApp
    • VALORE C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe
  • CHIAVE KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
    • NOME NewApp
    • VALORE C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe
Network activity

Il malware risulta contattare il server C2 (di comando e controllo) al quale invia le informazioni sottratte alle vittime e permette il controllo remoto del sistema:

  • Domain mail[.]tradzilanilaw[.]co[.]za
  • IP 69[.]46[.]6[.]238

Come illustrato nella figura sottostante, il dominio e l’IP contattati dal sample in analisi risulta essere stato utilizzato anche per altre campagne malware e altri malware della stessa famiglia (Agent Tesla).


Analisi statica

Attraverso una prima analisi statica del sample iniziale di Agent Tesla è possibile estrarre alcune informazioni interessati, tra cui:

  • md5 63CCA7B824B315FE272B8B4768CCB44E
  • sha1 D3B145B0C415488815B430F71EA82BA8F4289F05
  • sha256 46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8
  • first-bytes-hex 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00
  • entry-point FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • file-version 0.8.0.0
  • cpu 32-bit
  • compiler-stamp 0x60A58B3F (Thu May 20 00:03:43 2021)
  • code-page Unicode UTF-16, little endian
  • CompanyName Fayva
  • FileDescription wsManager
  • InternalName 8MUWA2d1M.exe
  • LegalCopyright Copyright © Fayva
  • OriginalFilename 8MUWA2d1M.exe
  • ProductName webshellManager

ysZeGjU.exe
  • md5 63CCA7B824B315FE272B8B4768CCB44E
  • sha1 D3B145B0C415488815B430F71EA82BA8F4289F05
  • sha256 46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8
  • first-bytes-hex 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00
  • imphash F34D5F2D4577ED6D9CEEC516C1F5A744
  • entry-point FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • file-version 0.8.0.0
  • description wsManager
  • cpu 32-bit
  • compiler-stamp 0x60A58B3F (Thu May 20 00:03:43 2021)
  • CompanyName Fayva
  • FileDescription wsManager
  • FileVersion 0.8.0.0
  • InternalName 8MUWA2d1M.exe
  • LegalCopyright Copyright © Fayva
  • OriginalFilename 8MUWA2d1M.exe
  • ProductName webshellManager

NewApp.exe
  • md5 0E06054BEB13192588E745EE63A84173
  • sha1 30B7D4D1277BAFD04A83779FD566A1F834A8D113
  • sha256 C5D6D56DED55FBD6C150EE3A0EB2E5671CAE83106BE2BE4D70CE50AA50BAB768
  • first-bytes-hex 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00
  • imphash F34D5F2D4577ED6D9CEEC516C1F5A744
  • entry-point FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • file-version 4.7.3062.0 built by: NET472REL1
  • description Microsoft .NET Services Installation Utility
  • cpu 32-bit
  • compiler-stamp 0x5AB95109 (Mon Mar 26 21:59:05 2018 )
  • code-page Unicode UTF-16, little endian
  • CompanyName Microsoft Corporation
  • FileDescription Microsoft .NET Services Installation Utility
  • InternalName RegSvcs.exe
  • LegalCopyright © Microsoft Corporation. All rights reserved.
  • OriginalFilename RegSvcs.exe
  • ProductName Microsoft® .NET Framework

NewApp risulta essere il tool di Microsoft RegSvcs.exe, tramite cui è possibile creare chiavi di registro.


tmpD59.tmp
  • md5 C0089F5200712CEBEC6B695A682611B3
  • sha1 F30A3BDACB50B9CA066EC23BAB70164025ADF439
  • sha256 050749E86B5846DD70D4F2A8324B742C0F87109D7CDB356D33968AFDC57CED96
  • first-bytes-hex 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 46
  • first-bytes-text < ? x m l v e r s i o n = ” 1 . 0 ” e n c o d i n g = ” U T F

Estratto del contenuto del file:

<LogonTrigger>
<Enabled>true</Enabled>
<UserId>USER-PC\admin</UserId>
</LogonTrigger> <Command>C:\Users\admin\AppData\Roaming\ysZeGjU.exe</Command>

Utilizzato come sistema di persistenza del malware (ysZeGjU.exe) ad ogni accesso dell’utente colpito.


Altri IOC correlati ad Agent Tesla

  • 69[.]46[.]6[.]238
  • 192[.]185[.]226[.]148
  • 198[.]154[.]240[.]47
  • 166[.]62[.]27[.]182
  • 192[.]168[.]100[.]167
  • 69[.]16[.]231[.]57
  • 103[.]14[.]20[.]94
  • 198[.]54[.]115[.]249
  • 204[.]11[.]56[.]48
  • 199[.]188[.]206[.]58
  • 198[.]49[.]72[.]29
  • 63[.]247[.]140[.]70
  • 198[.]54[.]115[.]130
  • 198[.]54[.]116[.]236
  • 209[.]99[.]40[.]222
  • 207[.]174[.]214[.]206
  • 78[.]198[.]121[.]158
  • 104[.]194[.]10[.]93
  • 68[.]65[.]123[.]141
  • 185[.]61[.]153[.]106
  • 193[.]239[.]84[.]207

Elenco degli hash degli eseguibili dei sample di Agent Tesla rilevati:

  • 45c22ef191a04d054c8a9e4f873c8ccfe34527944da8c9f60dbb656c7a1dd30e
  • 878a4f96c80d638d087347f2f4d9fd09df01b3bff20ce362c9fff16bca94e5bb
  • 0fbeab0e8f28875b8961f590ff42267c3e21ce9ea587a02fb9573fdfe9c4fb3c
  • 1137a5b1100685623a208af986d530c8f603f82e874721bdac8ce48488baf08e
  • 595991e7a071216bcda0f04df68de57a54f8bd31197031b4b4d473675aa285f1
  • f7ad9b234d31ce511b8b0915c52e8611b3a7667c71ed5ffd6cc26ce99d2ba5b4
  • 46ce9bbd88955426cb51db89e2767e46b5a1718b1d90407c5845b648ee8dc7c8
  • 46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8
  • 009865EA20036C19381086A91108D419A8294DF7CF4C1DF5919D9DA1D613F4AE
  • 8C452BB85D7C88B9B0DD44023EC6F4D63ABD7E2AD66205B598B32A6D31F36888
  • 47243E179BC23FE9057253F84684C37EBE99F2E70DA2E8236F56042E64C335B5
  • 98377E01641DAD941B567A822A9F99C843CEFB38FE4B641D99CE0E83E3E0C498
  • DDE9D304BD76E5070A8837EB4B8859B8CF73F5F97154EAC84F55859CCDF01758
  • 824A19B9DC158B71EAFF47E2EE64688CFD315E493DF198FAB0166370488D9553
  • 19AA079C6DE34EB550070AA69F98C741AEFD04D8B83B1C7E23BF89576BA1B69B
  • BF046025515879E2A468B9FF5305EB34C927B6C3E6B1ADBE50277B24A255FC9F
  • 456A91ABABAF84F414409B11CCD8C3707B4BB960FF1EA7C2C4D0994786C10523
  • 5B8643A221D028761328525EC881250FB02840F97792557020A49A226D23E7E6
  • 9692D3FCBE8181EB9B964C8CE0D960A3C3F64E84E231BAA607798971C744CDE8
  • CC8712E3A1EF6A730A68805E62971D3DA99EFCBF120FB627D1C7315B3CA35F8B
  • ED16AF86E5BA09E46175311CF0EB7E3E1684ABA68ED59BE8E7327B4A47245326
  • 5753294933668F57E487079FFFF070BAF9D275E30798A5D9CF9D54EEFEC352C4
  • 82F1CEE3C16BA6868870E1B45CCF5DFB126562A42F1B3EA0DA7122A965F5A400
  • 34CD4FCF758566CCFD538E85988330EC7DB2C7823375448353DC7A8F9B4EB53B
  • C218F628B56B2316CBE236C3A15EB3AA1D138CCD85FC5D5CE76CCAA61BF75032
  • 0498C1E68E0FB59171E05BEE6AFDC6E4697F28FEC80BA0E9C70D4B5A7A6AD198
  • 90EBC7865DF4E941AACD68DD89BEA0EFCD6A082CEBCBA405FE0400C39CACD21D
  • C5712FAD8759DCBF70ADD6208D6E4824680DC6F452D1E63AC1F2FC1CA8B0F24F
  • mail[.]tradzilanilaw[.]co[.]za
  • webmail[.]mdist[.]us
  • mail[.]axes[.]com[.]pe
  • mail[.]vpb[.]pe
  • api[.]ip[.]sb
  • www[.]newcontemporaryartists[.]com
  • joophesh[.]com
  • outtlook[.]com
  • www[.]adblockgenesis[.]com
  • concordiaoperativo[.]com
  • mail[.]aceconsulting[.]in
  • smtp[.]syametal[.]com
  • smtp[.]robotah[.]eu
  • smtp[.]globaloffs-site[.]com
  • smtp[.]kaeiser[.]com
  • smtp[.]frtsolutinos[.]com
  • smtp[.]ternptechindia[.]com
  • esclavage-indemnites[.]fr
  • smtp[.]freislandcampina[.]co
  • smtp[.]sierametals[.]com
  • smtp[.]nilkarnal[.]com