AhnLab Security Emergency response Center (ASEC) spotted the AgentTesla Infostealer being distributed through an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC. This blog post will provide an explanation of the distribution process, from the spam email to the final binary (AgentTesla), along with related techniques.
Figure 1 shows the body of the spam email distributing the AgentTesla malware. It deceives recipients by mentioning in the subject line that the email was sent from an alternative email account and then encourages them to execute the malicious file (.BAT). As shown in Figure 2, the attached zip (compressed) file contains a batch script file (.BAT). The BAT file is a type of script file that is run by the Windows application cmd.exe when executed.
Figure 1. Body of the phishing email
Figure 2. Malicious script (.bat) inside the attached zip file
Figure 3 is the obfuscated BAT script file. As shown in the EDR detection screen in Figure 4, the BAT file copies itself using the xcopy command when executed. Additionally, it disguises a normal powershell.exe with a png extension and copies it.
Figure 3. Malicious BAT file
Figure 4. xcopy command executed via cmd.exe (EDR showing the BAT file being copied along with powershell.exe which has been disguised with a png extension)
Afterward, it executes PowerShell commands through powershell.exe (Lynfe.png) which has been disguised with a png extension. As depicted in Figure 5, the EDR detection screen displays the PowerShell process name as a process with the png extension (Lynfe.png), and it is this process that executes the PowerShell commands.
Figure 5. EDR displaying the PowerShell script that was executed via cmd.exe
Figure 6 is the decoded PowerShell commands. The PowerShell commands decode (gzip, reverse) the data encoded within the BAT file, create a DLL payload, and load it into the PowerShell process. As shown in Figure 7, the loaded DLL executes the decoded shellcode, which, in turn, performs additional decoding routines and ultimately runs the AgentTesla malware in the memory.
Figure 6. Decoded PowerShell commands that load the .NET DLL encoded within the BAT file
Figure 7. .NET DLL feature that executes the decoded shellcode
Figure 8 shows the feature of the AgentTesla malware, which is ultimately executed by the PowerShell process (Lynfe.png). This feature is responsible for stealing account credentials from a specific browser (Edge). It collects account credential-related data through various paths in this manner, and Table 1 provides a glimpse of the collection paths for the stolen information.
Figure 8. Account credential-stealing feature of the final payload, AgentTesla
|
A Portion of Collection Paths for Account Credential-related Data |
| “SputnikSputnikUser Data” “Elements BrowserUser Data” “NETGATE TechnologiesBlackHawk” “BraveSoftwareBrave-BrowserUser Data” “Waterfox” “uCozMediaUranUser Data” “Opera SoftwareOpera Stable” “MicrosoftEdgeUser Data” “ComodoIceDragon” “CatalinaGroupCitrioUser Data” “7Star7StarUser Data” “Fenrir IncSleipnir5settingmodulesChromiumViewer” “YandexYandexBrowserUser Data” “Thunderbird” “ChedotUser Data” “IridiumUser Data” “KometaUser Data” “ChromiumUser Data” “QIP SurfUser Data” “MozillaFirefox” “MozillaSeaMonkey” “K-Meleon” “liebaoUser Data” “CocCocBrowserUser Data” “Mozillaicecat” “AmigoUser Data” “VivaldiUser Data” “OrbitumUser Data” “MapleStudioChromePlusUser Data” “360ChromeChromeUser Data” “GoogleChromeUser Data” “ComodoDragonUser Data” “Epic Privacy BrowserUser Data” “FlockBrowser” “Postbox” “CoowonCoowonUser Data” “Moonchild ProductionsPale Moon” “8pecxstudiosCyberfox” “TorchUser Data” “CentBrowserUser Data” |
Table 1. A portion of collection paths for account credential-related data
In Figure 9, which is the EDR detection screen for infostealing behavior, you can see that the PowerShell process disguised as a png file accessed the account credential within a browser.
Figure 9. EDR showing evidence of AgentTesla’s account credential theft
After stealing information, AgentTesla, which is running within the PowerShell process (Lynfe.png), transfers the collected data to an FTP server controlled by the threat actor, as depicted in Figure 10.
Figure 10. The feature of the final payload, AgentTesla, to transfer stolen information to a C2 via FTP
Using EDR’s evidence data, we explained the infection flow of AgentTesla Infostealer that is being distributed through spam emails. The threat actor employed a sophisticated fileless technique that does not create an EXE file and cunningly disguised the distribution email by writing in the subject line that the email had been sent from an alternative email account. It is essential to exercise caution when opening attachments and ensure that there is no extension present that is capable of executing malware. Additionally, continuous monitoring using security products is crucial for detecting and controlling unauthorized access from threat actors.
[Behavior Detection]
CredentialAccess/EDR.Event.M11362
[File Detection]
Trojan/BAT.Agent.SC192347
[IOC]
6d9821bc1ca643a6f75057a97975db0e
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
