Fake Purchase Order Used to Deliver Agent Tesla

Thanks to Val Saengphaibul who helped contribute to this blog.

FortiGuard Labs Research

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Compromised machines are under the control of the threat actor
Severity Level: Medium

Since the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.

FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals. The e-mail contained a PowerPoint attachment that is in reality a sophisticated, multi-stage effort to deploy the Agent Tesla RAT (Remote Access Trojan).

What makes this campaign unique is the usage of PPAM, which is a file format that is not very common. A PPAM is a Microsoft PowerPoint add-in that gives developers extra functionality, such as extra commands, custom macros, and new tools. This blog will detail the infection process and subsequent malware deployment.

Examining the phishing e-mail

Like so many computer-based attacks, this one began as a phishing e-mail sent to an organization in Ukraine.

Spelling and grammar issues aside, like most good phishing campaigns this one provides a time sensitive statement urging the recipient to urgently review the attached order.

Looking deeper at the e-mail and where it came from, we can see some additional information in the headers.

The e-mail originated at an address of 194[.]99[.]46[.]38 that corresponds to slot0.warongsoto.com. This is hosted on a run-of-the-mill VPS server. Visiting the server, we noticed that the site states that the server control panel is controlled by VESTA. Recent CVE data highlights that Vesta Control Panel is affected by remote command execution and elevation of privilege vulnerabilities that ultimately allow for full compromise of the system (CVE-2020-10786 and CVE-2020-10787).

The domain itself appears to be either abandoned or at least unused with no active content hosted. It was registered in the United States in October 2021.

The originating e-mail address does not appear to reference an actual individual and a search for other instances of this being used elsewhere came up empty.

Examining the dropper – stage 1

Phase 1

Dropping the final payload occurs in multiple phases, making this, in actuality, a very complex operation. As shown in Figure 1, attached to the e-mail is the file “order001.ppam”. This is an add-in file format used by Microsoft PowerPoint that, in this case, contains a malicious macro that acts as a dropper for Agent Tesla.

The first phase of stage 1 begins with opening the PPAM attachment to activate the macro contained within.

Once the macro is executed, it will reach out to the URL shortener Bit.ly to download the next phase of the dropper. The address used is: hXXp://www[.]bitly[.]com/awnycnxbcxncbrpopor/

Phase 2

The call out to Bitly will be redirected to a location on MediaFire – a file hosting site (hXXp://download2261[.]mediafire[.]com/6lcqxbws032g/wctsdmx4dsh95xs/19.htm). As possibly inferred, this was a campaign and not simply directed at one recipient. There were multiple files made available over several days, as shown below in Figure 4.

Each of the files is very similar (with minor tweaks) to the download location of the next step. Figure 5, below, shows 19.htm as it appears if downloaded directly. 

If we arrange the file into a more readable format, we get a better sense of what it’s trying to do.

As seen in Figure 6, the file attempts to taskkill several applications and services followed by adding a scheduled task into the Windows Task scheduler. The script then attempts to download and execute another file from MediaFire – hXXp://www[.]mediafire[.]com/file/otza6n31talvvle/19.dll.

Phase 3

While the file extension gives the impression of a Microsoft dynamic link library (.dll), 19.dll is in actuality a PowerShell script containing instructions in a large amount of hexadecimal data.

Once executed, the hexadecimal data will be transformed into additional PowerShell commands that will run in memory. For example, new registry keys will be added to assist with persistence.

If captured and reviewed, the entries that stand out the most are two large, compressed byte arrays — $nona and $STRDYFUGIHUYTYRTESRDYUGIRI.

As can be seen in Figure 9, the byte arrays are then decompressed for use. Once decompressed, these can be saved as executable Windows files. $nona is the larger of the two and is Agent Tesla. $STRDYFUGIHUYTYRTESRDYUGIRI will inject Agent Tesla into a running Windows process.

Renaming 19.dll to 19.ps1 allows it to be executed as a normal PowerShell script. With this particular sample, it will attempt to launch and then inject Agent Tesla into the aspnet_compiler.exe application.

Examining the malware – stage 2

At its core, Agent Tesla is a keylogger and RAT (Remote Access Trojan). It will take any results captured from the keyboard and clipboard and send them back to its C2 (Command and Control) server. In this instance, once injected into the aspnet­_compiler.exe process Agent Tesla will be up and running. With entries in the registry it will have persistence to run even if the host machine is rebooted.

As can be seen in Figure 11, this variant is similar to one FortiGuard Labs has analyzed  previously.

From this point, it will run in the background and observe the user, recording their actions and sending them back to the threat actor.

Conclusion

Threat actors for the most part like to use lures that are tried and true, as was the case here with the invoicing phishing e-mail, because they continue to enjoy success. The dropper attached to the phishing e-mail shows the continuing evolution and complexity required to evade modern security controls combined with the need to traverse several gates to arrive at the release point for the final payload.

Once finally deployed to a system, the ability to obfuscate and hide inside everyday files and processes proves that Agent Tesla is a very capable and formidable threat. Unfortunately, this trend towards increasing sophistication is unlikely to abate any time soon.

Fortinet Protections

FortiMail’s integrated antivirus, sandbox, and content disarm and reconstruction (CDR) functions detect and disable this malicious attachment. The FortiGuard Antivirus service detects and blocks this threat as:

• VBA/Agent.GBX!tr
• JS/Agent.YHB!tr
• PossibleThreat.PALLAS.H

The domain warongsoto.com is blocked by the Web Filtering client. 

IOCs

Sample SHA-256:

Network IOCs:

Mitre TTPs

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.