Threat Research

Title: AgentTesla intensifies its presence in Italy: the crucial role of PDF attachments

Italy-Cert-agid
Email to spread AgentTesla

Recently, AgentTesla operators have strengthened their malspam campaigns in Italy, confirming the trend observed in recent months towards a greater use of PDF attachments. These documents contain links that, once used, initiate the download of files with malicious JavaScript code.

The email in question urgently urges the recipient to view the attached document in the communication. Upon opening the document, a fake error message appears that prompts the user to click on the Reload button. However, this action masks the real intent of initiating the download of a malicious JavaScript file.

PDF with fake Error message

The downloaded file simulates being a PDF by using a double extension .pdf.js. Many spaces are strategically inserted between “.pdf” and “.js“, a clever trick aimed at hiding the true JS extension and concealing its intrinsic danger.

The deliberately obfuscated JavaScript code aims to download and execute a PowerShell script, taken from a Bitbucket repository. This script, in turn, contains binary values that, through simple substitutions, give life to the AgentTesla executable.

JavaScript

The details of the script decoding steps and the in-depth analysis of the AgentTesla sample in question are omitted, as no significant peculiarities emerge from there. However, the change in style adopted by the authors of AgentTesla in spreading the malware without using the usual compressed files containing the executable is particularly noteworthy.

The infection chain

The infection process can be effectively represented by the following graph:

Infection process: from email to C2

The AgentTesla executable

The binary generated by the PowerShell script is not saved to disk but is instead loaded and executed directly in memory. Only through a manual decoding operation is it possible to export the file for analysis.

The behavior remains unchanged, as confirmed by checks performed on 60 clients: browsers, email, FTP, and instant messaging.

  • ChromiumViewer
  • Coowon
  • Chrome
  • Edge
  • Chromium
  • Firefox
  • SeaMonkey
  • Thunderbi
  • BlackHawk
  • Cyberfox
  • K-Meleon
  • icecat
  • Pale Moon
  • IceDragon
  • Waterfox
  • Postbox
  • Flock
  • Safari
  • Falkon Browser
  • Outlook
  • IncrediMail
  • Eudora
  • FoxMail
  • Opera Mail
  • Mailbird
  • CoreFTP
  • FTP Navigator
  • SmartFTP
  • SWS_FTP
  • FTPGetter
  • Discord
  • Trillian
  • Psi+
  • MysqlWorkbench
  • Internet Downloader Manager
  • JDownloader
  • Opera Software
  • YanexBrowser
  • Iridium
  • Chromium
  • ChromePlus
  • Kometa
  • Amigo
  • Brave-Browser
  • CentBrowser
  • Chedot
  • Orbitum
  • Sputnik
  • Dragon
  • Vivaldi
  • Citrio
  • 360Chrome
  • CozMedia
  • liebao
  • Elements Browser
  • Epic Privacy Browser
  • CocCoc
  • Sleipnir
  • Surf
  • Coowon

Communications with C2: a Telegram Bot

In conclusion, information about the compromised machine, such as the hostname and hardware specifications, along with credentials extracted from the observed clients, is sent to a Telegram bot. This method of data transmission, already detected in numerous other AgentTesla campaigns, highlights a recurring strategy of exfiltrating information by exploiting instant messaging platforms to facilitate remote access to stolen data.

Package sent to Telegram

“Turnkey” access

AgentTesla plays a crucial role in the cybercrime ecosystem, serving as an initial entry point for more invasive and harmful operations. Once this malware successfully exfiltrates credentials and sensitive data from compromised systems, this information is often sold on the dark web by specialized intermediaries, better known as

Source: Original Post

Tags: DARK WEB, EMAIL, BROWSER