Cyber Security BlogsKey Takeaways
The blog highlights a new infection chain for distributing AgenTesla RAT. It involves a spam email with a CPL file that, when executed, downloads a PowerShell script that injects AgentTesla malware in exe and MSbuild.exe.
The PowerShell scripts use obfuscated binary strings to hide malicious code.
For persistence, malicious VB Scripts are dropped at startup folders, and a new schedule task is created.
A .NET-based loader file is used to inject AgentTesla payload in the memory.
Executive Summary
Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).
The adversary leverages malicious CPL files to execute malicious PowerShell scripts and utilizes a custom obfuscated .NET loader to inject AgentTesla payload.
During the investigation, we discovered a malicious email with the subject Gorgees Ghada shared “Gorgees_Ghada_Tax_2021-2022.zip” with you. This email contains an attached archive file, which includes two files, one PDF and another CPL file, namely Gorgees_Ghada_Tax 2021.pdf and Gorgees_Ghada_Tax 2021.cpl.
This CPL file executes a PowerShell script to download another file from the URL hxxp://cawp1[.]blogspot[.]com/atom.xml. This newly downloaded file contains a .NET loader injecting AgentTesla remote access trojan (RAT) into system processes.
The figure below shows the spam email.
Figure 1 – Spam Email
AgentTesla is a .NET-based information stealer that infiltrates computers and exfiltrates sensitive information. The main focus of the AgentTesla is credentials and personal information of victims. Additionally, Agent Tesla has capabilities such as keylogging, stealing clipboard data, file system access, and data exfiltration to the Command and Control (C&C) server.
Technical Details
The attack lifecycle comprises several distinct stages, each serving a specific purpose to achieve its goals. These stages encompass various techniques and methodologies to facilitate initial infection, establish persistence on the targeted system, evade detection by security measures, and employ process injection for further advancements.
The figure below shows the AgentTesla infection chain.
Figure 2 – AgentTesla Infection ChainInitial Infection
The email attachment encompasses a malicious file named Gorgees_Ghada_Tax 2021.cpl. It is a CPL file. The SHA256 hash of this file is 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303.
During our analysis, merely three security vendors successfully detected this malicious file, as shown in the figure below.
Figure 3 – Anti Virus Vendor Detection for Malicious CPL File
The Gorgees_Ghada_Tax 2021.cpl file operates similarly to regular executables, requiring only a double-click to initiate its execution. Within this file lies PowerShell code, responsible for fetching a malicious PowerShell script from a hardcoded URL cawp1[.]blogspot[.]com/atom.xml and subsequently executing it through the use of powershell.exe.
The figure below shows the code for downloading and executing the script.
Figure 4 – PowerShell Code Executed by CPL
The Downloaded powershell script contains several obfuscated binary strings. Various binary substrings are replaced with special characters like ‘*’ and ‘_’ for obfuscation. Once the script is executed, PowerShell undertakes a deobfuscation process, replacing the special characters with their original binary substrings, thereby revealing the actual content of the binary strings. Subsequently, these deobfuscated binary strings are transformed into additional PowerShell scripts, an executable, and a DLL file.
The figure below shows the downloaded malicious script.
Figure 5 – Powershell Script Downloaded by the CPL File
After being executed, the malicious PowerShell script drops three scripts into the C:ProgramDataphuddiupdate directory: AdobeUpdates.vbs, Clang.vbs, and Se**logy.!!!!!!!!!!!!!!!!. These scripts facilitate a series of malicious actions, which are elaborated on in the subsequent sections.
The figure below shows the files dropped by the malicious PowerShell script.
Figure 6 – Scripts Dropped by the Malicious Powershell ScriptPayload Injection
Within the script “Se**logy.!!!!!!!!!!!!!!!!”, two binary string variables, namely “BigBOSS” and “s**ybunbun”, are concealed through obfuscation. The variable BigBOSS corresponds to an obfuscated AgentTesla executable, while the variable “s**ybunbun” conceals yet another obfuscated PowerShell script.
The figure below shows contents of “Se**logy.!!!!!!!!!!!!!!!!” file.
Figure 7 – Contents of the Dropped Sology.~!!!!!!!!!!!!!!!!~ File
Subsequently, the PowerShell script undertakes a deobfuscation process on the string variable “s**ybunbun” and executes the underlying PowerShell script. This deobfuscated script includes a loader DLL file based on .NET, which is once again concealed in binary string format. The script performs deobfuscation on the binary string, subsequently converting it into a byte array to get the actual loader.
The figure below shows the script code to create Byte Array from Binary String.
Figure 8 – Script to Deobfuscate .NET Loader
Upon generating the .NET loader binary, the script initializes a designated method, C, within namespace A and Class B of the .NET loader.
The figure below shows the method C of the .NET Loader DLL file.
Figure 9 – Method C of .NET Loader DLL
This DLL then engages in the process injection, which injects the AgentTesla executable into three distinct executables located at C:WindowsMicrosoft.NETFramework: v4.0.30319RegSvcs.exe, v2.0.50727RegSvcs.exe, and v3.5Msbuild.exe.
This process injection is accomplished by utilizing the Invoke method within the script, as shown below.
Figure 10 – Script Performing Process Injection
The ultimate injected payload is a 32-bit variant of the AgentTesla malware, with a SHA256 hash of 54ccee6fa601b22fc17e00f7bf48c9d33f103ea1d3ba6cc86986bfe19a624b4e.
Persistence
The malware employs both scheduled tasks and the Startup folder in its attempts to establish persistence. Within the downloaded PowerShell script, the command “schtasks /create /sc MINUTE /mo 200 /tn EWxdwwATE /F /tr “$KILKGGKGK C:ProgramDataphuddiupdateAdobeUpdates.vbs” is present. This command generates a scheduled task entry within the Task Scheduler. This entry outlines that the script AdobeUpdates.vbs located at C:ProgramDataphuddiupdate will be executed on a daily basis without a specific end date.
The figure below shows the task scheduler entry.
Figure 11 – Task Scheduler Entry for Persistence
Furthermore, to enhance its persistence, the PowerShell script drops two scripts, AdobeUpdates.vbs, and Clang.vbs, into the system’s startup folder. The startup folder is scanned upon starting the operating system, and any files within it are executed as part of the initialization process.
The figure below shows the start-up folder.
Figure 12 – Startup Entry for Persistence
Both scripts, AdobeUpdates.vbs and Clang.vbs, share a common code, differing solely in their respective download URLs. Encapsulated within these scripts is a PowerShell command intended for execution. The VBScripts contain powershell command to download the malicious payload from the hardcoded URL every time the system starts or at the time mentioned in the Scheduled task entry.
The figure below shows the complete code of the AdobeUpdates.vbs.
