agent tesla

Agent Tesla Analysis

The past and present of Agent Tesla

In 2014, Agent Tesla first appeared on a Turkish-language website and was sold as a keylogger product. Although the website claims that the product only provides legitimate services to users, the functions it provides to bypass anti-virus software, secret bundling programs, and sensitive file transfer are comparable to, and even more sophisticated than, secret-stealing Trojans. Therefore, people are more inclined to think that it is a kind of software specially used to steal secrets. Until later, Agent Tesla gradually began to become popular in underground forums and hacker communities. The price generally ranges from 15 US dollars to 69 US dollars. The transactions are often through Bitcoin. And so on.

clip_image001

Nowadays, Agent Tesla has undergone several code improvements and continuously enhanced functions. It has become a professional stealing software capable of stealing various sensitive information such as browsers, FTP, VPN, mailboxes, and WIFI.

In terms of propagation methods, Agent Tesla mainly spreads through phishing emails or spam with attachments in various formats (such as ZIP, CAB, MSI, IMG, Office files, etc.), and supports data of multiple protocols such as smtp, ftp, and http. Backhaul; In terms of analysis and confrontation, Agent Tesla uses a variety of methods to avoid killing, anti-debugging and anti-virtual machines, which greatly increases the difficulty of analysis by security personnel. At the user level, Agent Tesla provides easy-to-configure pages. Users can easily select the required Trojan horse functions according to their own situation, such as multiple ways to achieve persistence, UAC settings, forcibly shutting down the anti-virus software process, etc.;

clip_image002

In terms of target industry selection, Agent Tesla’s attacks spread to the Internet, education, banking, telecommunications, medicine and manufacturing, etc., and expanded to attacks on the energy industry in early 2020.

clip_image003

To this day, Agent Tesla is still active. For example, in early 2020, multiple hacker organizations were revealed to use Agent Tesla to conduct phishing activities against government and medical organizations on the theme of COVID-19. Among them, Deloitte CTI observed a phishing attack in the name of “COVID-19”. In phishing attacks, hackers use Agent Tesla Trojan horses to steal IP information against medical research institutions in Japan and Canada. After analysis by Deloitte CTI researchers, during the attack, hackers will send phishing emails called “COVID-19 Supplier Notice” or “Pandemic Consultation” to the attacker. These phishing emails contained a Trojan horse file disguised as “COVID-19 Supplier Notice.zip”. Once the user clicks on the file, the Agent Tesla Trojan horse program will be automatically loaded onto the victim’s computer, thereby stealing current medical research results .

Another example is in mid-2020, Gorgon APT used Agent Tesla to steal secrets against the Indian MSME industry. Researchers have observed phishing campaigns targeting MSME (Small, Small and Medium Enterprise) companies in India, with malicious documents on the subject of COVID-19. The attack process is: After the victim opens the “face mask order.doc”, RTF triggers the CVE-2017-11882 vulnerability to execute arbitrary code; the RTF file contains two malicious ole objects, the first is the executable file, ServerCrypted.vbs Script; the second one is Equation.3 exploit (CVE-2017-11882) and the script that runs ServerCrypted.vbs; after successful use, the script will download two files with the extension .jpg, one of which is a PowerShell script, Load the DLL in memory; the second file is the payload of Agent Tesla.

In late 2020, Agent Tesla’s attacks still tend to be in India. In addition, the United States and Brazil are also mainly targeted countries. In addition to the previous financial services and some public entities, the main targets of the attacks also include Internet service providers (ISPs). ), because the ISP holds emails or other important personal data that can be used to gain access to other accounts and services. This is of great significance for subsequent attacks.

Sample analysis

As mentioned earlier, Agent Tesla’s main propagation method is phishing emails-attackers usually use social engineering to deliver seductive emails, documents or compressed packages to their targets. In the past few months, we have observed a large number of attackers spreading Agent Tesla Trojans in emails with the subject of the new crown epidemic, namely “COVID-19” or “2019-nCov”.

clip_image004

Relevant emails generally contain malicious link addresses, or their attachments are malicious payloads of Agent Tesla to trick victims into clicking. Some samples will also be downloaded and executed through macro files or office files with vulnerabilities. Among them, common exploit vulnerabilities such as CVE-2017-11882, and CVE-2017-0199, etc., the details are shown in the following table:

file name Exploited vulnerabilities Vulnerability description harm
COVID 19 NEW ORDER FACE MASKS.doc.rtf CVE-2017-11882 Stack-based buffer overflow vulnerability Vulnerability allows an to run arbitrary code to provide a payload
COVID-19 SUSPECTED AFFECTED VESSEL.doc COVID-19
measures for FAIRCHEM STEED Voyage
CVE-2017-8570 Remote code execution vulnerability in Microsoft Office Vulnerability allows attackers to download .NET payloads
RFQ REF NS326413122017.docx CVE-2017-0199 Use OFFICE OLE Object Link Technology The Microsoft HTA application (mshta.exe) loads the malicious to download and execute the payload

Here, we analyze a typical Agent Tesla Trojan horse sample and find that its main behavior is as follows:

1. First use the remote template injection method to remotely download a doc file containing the vulnerability of cve-2017-11882.

clip_image005

2. After the document runs, it will automatically trigger the vulnerability to execute the code, and use the API function URLDownloadToFileW to download the attack payload from the specified URL http://75.127.1.211/system/regasm.exe and save it to C:\Users\Public\ regasm.exe file.

clip_image006

3. After opening the file, it was found that the content of the bait file was garbled.

clip_image007

4. The attack payload will first load the resource file in the file, which on the surface is a picture in png format.

clip_image008

clip_image009

5. After in-depth analysis, it is found that there is hidden code to be executed in the resource file, and the Trojan will continue to run the relevant code after decryption.

clip_image010

6. The Trojan will be persisted by choosing one of three methods according to the settings, including self-starting directories, registry, and scheduled tasks.

clip_image011

7. After that, the Trojan will continue to read the content from the resource file and release the real Agent Tesla main file through decryption.

clip_image012

The decryption function is as follows:

clip_image013

The main body of the Trojan will use the timer to call functions, such as using the global hook for keylogging:

clip_image014

Take a screenshot and take a screenshot:

clip_image015

8. The Trojan can be transmitted through multiple protocols.

SMTP:

clip_image016

HTTP:

clip_image017

FTP:

clip_image018

9. Through the content of the SMTP-related code, we can obtain the victim’s email information. The analysis found that most of the test environments are honeypots and analysts. Of course, there are also a small number of real lost hosts.

clip_image019

10. Combining the analysis results of other samples, we summarize the related software that will be stolen by Agent Tesla. The details are shown in the table below.

Software type name of software
Browser client 360 Browser、Comodo Dragon、Coccoc、7Star、Kometa、Orbitum、Yandex
Browser、Opera Browser、Sleipnir 6、Coowon、Brave、Sputnik、Chromium、Uran、QIP Surf、Cool
Novo、Epic Privacy、Vivaldi、Torch Browser、Chedot、Liebao Browser、CentBrowser、Iridium
Browser、Amigo、Elements Browser、Citrio、Google Chrome、Mozilla Firefox、 Microsoft
IE、Apple、Safari、SeaMonkey、 ComodoDragon、FlockBrowser、SRWarelron、UC browser;
Mail client Microsoft Office、Outlook. Mozilla Thunderbird.
Foxmail、Opera Mail、PocoMail、Eudora
FTP client FileZill、WS FTP、WinSCP、CoreFTP、FlashFXP、SmartFTP、FTPCommander
Dynamic DNS DynDNS、No-IP ;
Video chat Paltalk 、 Pidgin;
Download management Internet Download Manager、 JDownloader

summary

Although the overall structure of Agent Tesla is relatively simple and has a history of 6 years, it is still one of the most popular malware. In recent years, it has been continuously updated and iterated, and its functions have been continuously improved. It has become increasingly complex in anti-virus and analysis and confrontation. At the same time, it combines social engineering to significantly increase the difficulty of prevention. I believe this commercial stealing software will also be in the future. To be more active, we recommend the following measures to detect and prevent related threats:

IOCs

569b60fd57a93368c07a0e91dfb640c9e1fceed9a17f00760147d241fd9ce9e4 
5bc915e290024f61c9e29d5b5fb056ce46cf0582de0e27d7010446affe16c159 
6b666afdd5b7af512ce3aedc252405dd4f36b853aa4b19738a8ad8ee116e8e63 
8940739b0fcb021a2bfa9542590169742e74a425e2c9fbd731d823a9a75a1655 
caeecccb50242129b5031161fcbc2f29e565c6646ac69042647621210e1a9121 
966b252a1de1f8dd6cc226d08d6121e231b956ec 
13360790e5ed9efc2dd0a749126df864f39f53db 
6db1db94aaab8c03b6e6a045bae7101537a10b18
d18ba17cecd7bbc55cf7e9ea554bac93 
a7f5d79870db833ab77de7cc4902802c 
7e7569307c92310efa847c7fce10b0f1