The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.
The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified.
The compressed file contains the VBS, and commonly used filenames include invoices and proposals. The confirmed filenames are as follows:
| Date | Filename |
| 10/05 | doc_10049500220529464169750.pdf.vbs |
| 10/07 | doc_5246701207754814333490.vbs |
| 10/12 | № 106 – Supply of Flex.vbs protected copy of the commercial invoice.vbs |
| 10/12 | LJUR900225565_pdf.vbs |
| 10/13 | 770140578183.CL.NoticeOfArrival.vbs |
| 10/15 | Urgent RFQ No.6554342.vbs |
| 10/17 | JKTR002014953_5101075053_ppwk.vbs |
| 10/17 | Order List(Draft) 9419-PDF.vbs |
| 10/18 | BESOLO.vbs |
| 10/21 | BEST SOLU.vbs |
The confirmed VBS files contain multiple annotations and dummy codes.
Aside from the multiple annotations and dummy codes, there is a code at the bottom responsible for reading the strings in the currently running VBS file excluding every 2 characters
When this code is executed, the strings that were in the annotations are decoded and a new script code is executed. The decoded code includes an obfuscated shellcode and an additional PowerShell command.
When the above script code is executed, the value of ‘Ch8’, an obfuscated shellcode, is saved to HKCUSoftwareBasilicae17Vegetates.
Afterward, the value of the ‘O9’ variable is executed through PowerShell. The ‘O9’ variable contains a PowerShell command, and the executed command is obfuscated as shown below.
| powershell.exe “$Quegh = “””DatFMaruBidnMescFultkariStaoPtenKol EftHStaTBesBCel Uer{Taw fem Las Ude UndpLawaDokrSlaaQuamAsi(Uhj[DagSBontUnbrSkaiTilnHalgTis]Fes`$LivHPerSWir)Con;Fat Ret Hjl Amp Aft`$IntBLavySaltfaseBinsEno Che=Sax CenNDvdeDoswCyp-VovOShab <ommited> Ind5Nin3Ree#Apo;”””;; Function Tammy159 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Statice = $Statice + $HS.Substring($i, 1); } $Statice;} $Ambulancetjeneste1820 = Tammy159 ‘UnsIPujEFolXInt ‘; $Ambulancetjeneste1821= Tammy159 $Quegh; & ($Ambulancetjeneste1820) $Ambulancetjeneste1821;; |
The PowerShell code decodes the obfuscated value saved on the ‘$Quegh’ variable by excluding every 3 characters. (ex. UnsIPujEFolXInt -> IEX)
The decoded command is also obfuscated, and the code that is ultimately executed is as follows.
The obfuscated shellcode that was saved before in HKCUSoftwareBasilicae17Vegetates is decoded in base64 and executed. The executed shellcode injects the AgentTesla malware into CasPol.exe, a normal process. AgentTesla is an info-stealer that collects user PC information, compresses it into CO_[username]/[PC name].zip and leaks it via email.
The email information used is as follows.
- From : hasan@edp-bkv.com
- To : kingpentecost22@gmail.com
- pw : Fb56****65fr
AgentTesla is malware that is also prevalent in weekly statistics, and its distribution method is continuously changing. Also, caution is advised because a variety of malware can be executed aside from AgentTesla according to the shellcode.
[File Detection]
Dropper/VBS.Generic
Downloader/VBS.Powershell
Trojan/VBS.Agent
Trojan/VBS.Obfuscated
[IOC]
7fe2ed92d9306c8f0843cbb4a38f88e0
b06081daa9bc002cd750efb65e1e932e
eccef74de61f20a212ecbb4ead636f73
ea202427fbe14d9a6d808b9ee911f68c
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/40890/