Updated: Mar 23
Demystify Cyber analysed the payload from a malicious email campaign from 9 January 2022 that contains an attachment called Purchase Order, that installs malware called Agent Tesla on the system.
Agent Tesla is malware as a service delivered in malspam (malcious spam emails). Agent Tesla is a remote access trojan, which is .Net based, and used to steal credentials, keystrokes, clipboard data, and other information from the infected system. The malware communicates the stolen data back to its command and control server. Agent Tesla was first discovered in 2014 and has had various iterations. It was very active last year with faked COVID mask offers. It is usually delivered in emails with malicious attachments, such as zip files.
The campaign analysed used faked purchase orders as bait.
Subject- Purchase Order
Sender address (various) – usually spoofed to appear as ‘Purchasing Department’
Body of email – ‘below is attached our new purchase order kindly please process’ (saw some variations of this but essentially along the same lines)
The samples Demystify Cyber analysed in this recent campaign use Telegram to communicate back to a C2.
Remind user’s to not open attachments from emails of which they cannot verify the legitimacy
Use a reputable and up to date anti-virus and have it enabled
Consider using access control/least privilege to prevent a user’s infected computer spreading malware throughout the system
1. Initial access
Malicious attachment in an email (purchase order(dot)exe)
T1047: Windows Management Instrumentation – queries BIOS and processor (could be trying to detect sandbox or VM)
· WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
· WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
T1574.002: DLL Side-Loading – tries to load missing DLL
Section loaded: xboxlivetitleid.dll
Section loaded: cdpsgshims.dll
Section loaded: wlanhlp.dll
T1547.001: Registry Run Keys / Startup Folder – creates an auto start reg key
· Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VOGUEDAED
· Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce VOGUEDAED
4. Privileged Escalation
T1055: Process Injection – allocates memory
Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write
T1562.001: Disable or Modify Tools – changes MS security settings
Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
T1140: Deobfuscate/Decode Files or Information – code in .NET calls to encrypt function
Cryptographic APIs: 'CreateDecryptor'
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
T1564.002: Hidden Users – hides user accounts
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
T1087: Account Discovery – queries the users Code function: 24_2_05F958F4 GetUserNameW,
T1083: File and Directory Discovery – enumerates all the files on the infected system
T1018: Remote System Discovery – reads the files C:\Windows\System32\drivers\etc\hosts
7. Collection and C2
T1114: Email Collection – tried to email out the data
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
T1102: Web Service – uses the API of Telegram
Written by A. Turner
© A. Turner 2021 https://www.demystifycyber.com.au/
Provided for general information and education purposes