Whereas the entire world fights in opposition to the COVID-19 pandemic, cybercriminals are busy exploiting the scenario and attacking weak customers & companies. In the previous couple of weeks, there was an increase in coronavirus-themed malspams, that are getting used to ship a wide range of malware. At Fast Heal Safety Labs, we’ve got noticed Agent Tesla being delivered via such campaigns — the principle motive of those campaigns is to steal delicate knowledge by capturing keystrokes, taking screenshots, & dumping browser passwords, and many others.
Marketing campaign Particulars: We now have noticed a wide range of coronavirus-themed Agent Tesla Campaigns. Under are completely different classes:
• Exploiting MS workplace vulnerability CVE-2017-11882
• Exploiting MS workplace vulnerability CVE-2017-8570
• Archives with double extension executable (ZIP, RAR and many others.)
Variant 1 – Technical Particulars
A sufferer receives a phishing mail with an attachment titled as “COVID 19 NEW ORDER FACE MASKS.doc.rtf “. This doc is an RTF file that exploits CVE-2017-11882 which is a stack-based buffer overflow vulnerability current within the Microsoft Equation editor instrument. This vulnerability permits the attacker to run arbitrary code and after profitable exploitation to ship the Agent Tesla payload. This dropped payload performs code injection in recognized home windows course of RegAsm.exe. The injected code in RegAsm.exe performs all info-stealing exercise and sends it to the CnC server.
Fig. 1 Assault Chain
The RTF file is extremely obfuscated with a number of invalid management phrases and whitespaces. After deobfuscating file, the next API calls are current on this file.
Fig. 2 Shellcode in RTF file
Fig.3 Shellcode in RTF file
Payload Evaluation: The .NET payload is downloaded from CVE-2017-11882 exploit. When the execution begins, it begins decrypting the useful resource part the place the malicious code is saved. Utilizing the process-injection methodology, it injects its code to a real Microsoft file, RegAsm.exe to bypasses safety merchandise. The aim of this payload is to steal delicate knowledge, log person keys and to ship this knowledge to the SMTP server.
Variant 2 – Technical Particulars
A sufferer receives a phishing mail with an attachment titled as “COVID-19 SUSPECTED AFFECTED VESSEL.doc” OR “COVID-19 measures for FAIRCHEM STEED, Voyage (219152).doc”. This doc is an RTF file containing OLE2Link object to use CVE-2017-8570. This vulnerability triggers the execution of scripts with out person interplay. After profitable exploitation, winword.exe course of drops embedded .sct file and executes it. The .sct file comprises code as proven beneath, which executes PowerShell.exe to obtain and execute payload from a distant server.
Fig. 4 Assault Chain
The composite moniker (C6AFABEC197FD211978E0000F8757E2A) is current within the RTF file to execute a .sct file on the sufferer’s machine. Because of the improper dealing with of objects in reminiscence, workplace utility drops and efficiently executes scriptlet file(.sct) which ends up in the execution of malicious code current within the .sct file.
Fig.5 Moniker CLSID and dropped location of .sct file
The next determine exhibits the code — the .sct file comprises obfuscated PowerShell code.
Fig.6 Obfuscated .sct file
Payload Evaluation: The .NET payload is downloaded by the above CVE-2017-8750 exploit. When execution begins, it checks for an personal occasion, and if discovered, it throws an exception and terminates itself. If not discovered, it begins decrypting the useful resource part the place the malicious dll is saved. Self-injection methodology is used to inject a dll in an personal file. When a brand new occasion of self-process will get began, it drops a shortcut (.lnk) file at startup to determine persistence and modifications the attributes of personal file to hidden. The aim of this payload is to steal delicate knowledge, log person keys and ship knowledge to the SMTP server.
Variant 3 – Technical Particulars
A sufferer receives a phishing mail that carries archived attachments of various sorts like ZIP, RAR, and many others. with a reputation equivalent to “COVID-19 Provider Discover.zip”. This malicious archived attachment will then extract AutoIT-compiled model of Agent Tesla malware with a reputation equivalent to “COVID-19 Provider Discover.jpg.exe”. When this payload begins, it performs code injection in a recognized Home windows course of, RegAsm.exe. — after the profitable execution, the payload begins the info-stealing exercise.
FIg. 7 Assault Chain
Payload Evaluation: When the execution is began, it creates a .URL file at startup location which comprises a hyperlink to a .VBS file dropped at ‘srdelayed’ location. The self-copy in ‘srdelayed’ folder is created on the similar location from the place file execution has begun. It begins decrypting useful resource part the place the precise malicious code is saved. Right here, AutoIt useful resource part comprises .NET code and utilizing Course of-injection methodology, it injects its code to Microsoft real file RegAsm.exe, additionally a .NET file. The aim of this payload is to steal delicate knowledge, log person keys and carry out knowledge exfiltration over SMTP.
Ultimate Stage Payload Evaluation:
Under is the evaluation of the primary variant which is similar to the opposite two variants.
The malicious code is saved within the useful resource part of the binary.
Fig. 8 Useful resource Part
After knowledge decryption in reminiscence, dll will get loaded and it once more begins to decrypt a last malicious code in reminiscence which additional injects into self or in a RegAsm.exe course of.
Fig. 9 Decryption of .NET code
After self-injection of this decrypted code, it begins gathering system data like Username, Computername, OSFullName and different primary data. It additionally begins to steal the info from browsers. It has as much as 25 hardcoded lists of browsers together with their path out of which few are as talked about beneath –
Fig. 10 Browser Lists
It additionally has a listing of e-mail purchasers together with their paths from the place it steals e-mail knowledge and sends to its CnC Server.
The payload can seize the screenshots of the present window in a JPG format with a while interval. The captured picture because the one seen beneath is distributed to the e-mail server by creating an SMTP consumer.
Fig. 11 SMTP consumer particulars
The picture is distributed to 1 hardcoded e-mail ID, ‘amani@planetships.web’ with topic title as SC_<username> with a message physique containing the knowledge of sufferer’s system and the captured picture as an attachment.
Copying knowledge from the clipboard is one other performance of this payload — it shops all of the copied knowledge in an array.
Fig. 12 Getting a replica of the clipboard knowledge
Keylogging exercise is current on this payload — it first checks for the keyboard structure submit which it captures all of the keyboard occasions.
Fig. 13 Getting the small print of the keyboard keys
Safety by Fast Heal
Our superior signature-less Habits-Based mostly detection efficiently blocks all recognized Agent Tesla variants.
Conclusion
Actors behind these campaigns are capitalizing on the worldwide Coronavirus panic to distribute Agent Tesla malware and steal delicate person data. Fast Heal advises customers to train ample warning and keep away from opening attachments & clicking on internet hyperlinks in unsolicited emails. Customers also needs to preserve their Working System up to date and have a full-fledged safety resolution put in on all units
Fast Heal’s analysis crew is proactively monitoring all campaigns associated to COVID-19 and dealing relentlessly to make sure the security of our clients
MITRE ATT&CK TIDs
| Tactic | Method |
| Preliminary Entry | Spearphishing Attachment |
| Preliminary Entry | Spearphishing Hyperlink |
| Execution | Execution via API |
| Execution | Exploitation for Shopper Execution |
| Execution | PowerShell |
| Execution | Scripting |
| Persistence | Registry Run Keys / Startup Folder |
| Defence Evasion | Obfuscated Recordsdata or Info |
| Defence Evasion | Course of Hollowing |
| Defence Evasion | Scripting |
| Credential Entry | Credential Dumping |
| Credential Entry | Credentials in Recordsdata |
| Discovery | Question Registry |
| Discovery | System Info Discovery |
| Assortment | Clipboard Knowledge |
| Assortment | Enter Seize |
| Assortment | Display screen Seize |
| Command And Management | Distant File Copy |
| Command And Management | Commonplace Software Layer Protocol |
| Exfiltration | Exfiltration Over Various Protocol |
IOCs:
527142E25A8229D1DC910AF23CDB5256 (DOC)
C1B04A9474CA64466AD4327546C20EFC (DOC)
F1E95D1E23A582E4EF8B19E55E21D40E (PE)
6D5ED323EF55F7BD34BC193DDC8AFE74 (PE)
C3166A86DBF5B6A95FC723EF639DAD45 (PE)
5[.]189[.]132[.]254
107[.]189[.]7[.]179
Topic Matter Professional:
- Aniruddha Dolas
- Pavankumar Chaudhari
- Bajrang Mane
