- Agent Tesla Malware is a trojan that aims to steal personal data of target users.
- According to the analysis results, it was determined that the AgentTesla Malware was hidden in a word document sent to the target system via Phishing e-mail, and after executing the Invoice-Transfer Details.docx file, it downloaded a second stage malware named https.doc using the CVE-2017-11882 vulnerability and ran it on the target system.
- The https.doc Word file, downloaded in the background on the target system, uses the CVE-2017-0199 vulnerability to download the actual malware, vbc.exe, and write it under the Public folder.
- After Vbc.exe is run, it reads the user information on the target system, the passwords stored in the software installed on the device, and then transmits the data it obtains to the other party with the help of Telegram BOT, which is used as a Command and Control Tool.
Agent Tesla is a spyware Trojan that has been observed since 2014 and has been extremely popular ever since. It is written in .NET and is a spyware frequently used to steal sensitive information from affected machines. In addition to being able to steal credentials from browsers and e-mail accounts, Agent Tesla is used by cyber attackers to steal the passwords of many accounts as a keylogger virus.
CVE-2017-0199 is a remote code execution vulnerability. The address of the malware to be downloaded is defined in the Windows Object Linking and Embedding (OLE) object, that is, it actually embeds it in the relevant file. When the document containing the OLE object is executed, the malware downloads to the system and runs on the relevant system.
It is a critical vulnerability in the Equation Editor of Microsoft Office that, when triggered, causes the Equation Editor (EQNEDT32.EXE) software to run harmful commands on the target system as a result of Buffer Overflow, as it cannot properly process data in memory.
Downloading of AgentTesla Malware to the Target System with CVE-2017-0199 Vulnerability – (Invoice-Transfer Details.docx)
With the vulnerability used here, CVE-2017-0199 remote code execution, a file that the attacker wanted to download to the system was detected when the "Invoice-Transfer Details.docx" Office Word file was opened, thanks to the malicious link in it.
When I analyzed the 'Invoice-Transfer Details.docx' document and opened the "webSetting.xml.rels" file in it with notepad, a malicious URL was found as in the image.
Running AgentTesla Malware on the Target System with Equation Editor (CVE-2017-11882) Vulnerability – (https.doc)
By opening the malicious document with HxD and looking carefully, preliminary information about the malware can be obtained. After printing the https.doc document as hex data with HxD, the shellcode in it was extracted.
https.doc Using the rtfobj tool, the RTF document was dumped to analyze the shellcode in the file.
VirusTotal results of the https.doc_object_00000C86.raw file that emerged after dumping are shared below.
When the shellcode was analyzed, an entry point was detected in the 3rd offset field. When the shellcode runs on the target system, AgentTesla Malware is detected. vbc.exeWe see that the attacker downloaded the file from the remote server (184.108.40.206) and wrote it under the Public folder.
urldowloadtofileW(source address, showing where to save)
CrowdStrike Analysis of AgentTesla Malware Downloaded to the Target System and Then Executed via Microsoft Office Vulnerabilities – (vbc.exe)
After gaining access to the target system, the Agent Tesla malware performs a writing process on the Windows Registry to ensure permanence, and when it captures our personal data on the target device after running, it encrypts it with TLS and sends it to the command and control server.
It has been observed that AgentTesla Malware tries to maintain permanence by making changes to the Windows Registry on the target system.
The persistence performed by the AgentTesla Malware was caught by CrowdStrike EDR and successfully protected the test device.
It has been determined that when Vbc.exe is run, it copies itself as app.exe to the “AppData\Roaming\app\app.exe” directory.
AgentTesla Malware was detected on the test device with CrowdStrike EDR installed and was quarantined by CrowdStrike before it could receive data from the target system.
Process Explorer Viewer:
For unpacking, AgentTesla Malware is run with the debugger, and with the breakpoint placed on the WriteProcessMemory() function, dump information of the data written unpacked into the open memory area is obtained.
When the unpackaged AgentTesla Malware was analyzed, it was determined that it stole the recorded data (Password, Cookie, Username, Email, etc.) kept under the "user data" folder of the browsers from the user.
It has been observed that the AgentTesla Malware receives cookie data from the target system in a function written specifically for different Browser software.
In a function seen below, a piece of code has been detected that places the "app" key in the CurrentVersion\Run section in the Windows Registry to ensure persistence on the target system.
A piece of code that reads user data (saved passwords, Emails, etc.) in the Outlook Software on the target system has been detected.
Code that collects system information has been detected.
It was determined that the code collecting system information was prepared to send the data to the attacker's Telegram bot by keeping the data in HTML format after this process was completed.
The telegram link to the relevant command and control server for all collected data has been identified.
It has been determined that data is sent to the command and control server via the "Post method".
When we retrieved dump data from the memory area while AgentTesla Malware was running, it was determined that the data collected from the target device was gathered together to be sent to the command and control server.
The collected data is sent to the telegram bot as a String array.
As seen in the picture below, the information collected from the target device by the AgentTesla Malware is delivered to the attacker using Telegram Bot. Some information stands out in the response to my HTTP request. Because the Telegram Bot was not configured correctly by the attacker, Infinitum IT Cyber Threat Intelligence teams gained access to the attacker's command and control server.
After seeing the file_id and chat_id parameters, the question arises: "Can we access this file using the Telegram API?" And after looking at the documentation for a while, we see that we can find out the location of the file by issuing this GET request.
After learning the location of the file, we download this file again with the GET request.
Receiving the data from the target device in HTML format from the command and control server:
The first thing that stands out at this point is the file name “file_130.html”. As with IDOR vulnerabilities, we perform a Brute Force attack to see if we can access different files by changing this number. The tool we use is ffff .
Our messageID was 935. So, if we can receive a message and direct it to our own chatID, we can access the 934 messages sent here before us. We are starting the trials. First, we test the attacker's chatID without obtaining our own chatID.
Even when we direct the message back to the attacker's chat without bothering to get our own chatID, we can see the message content in the HTTP Response. Again ffff Using the tool, we Bruteforce the message_id from 0 to 935 and file all Responses returning 200 OK separately. Afterwards, we filter them with grep.
We obtain user data from a total of 458 HTTP Responses.
It was determined that when the "Invoice-Transfer Details.docx" file was opened with Office Word, the attacker was directed to the IP address of the server he wanted to download, and when we listened with Wireshark, he downloaded the 172[.]245[.]220[.]196 /https/https.doc file.
When https.doc was opened, it was determined that it downloaded an executable file 172[.]245[.]220[.]196/235/vbc.exe.
It has been determined that when "Vbc.exe" runs, an encrypted request is sent to Telegram via TLS.
|SHA – 256
|172[.]245[.]220[.]196 /https/ https.doc
|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
|Credentials from Password Stores
|Deobfuscate/Decode Files or Information
|Obfuscated Files or Information
|Browser Session Hijacking
|Account Discovery: Local Account
|Application Layer Protocol: Web Protocols
Application Layer Protocol: Mail Protocols
|Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol