Recently, FortiGuard Labs captured a new malware sample that was spread via Microsoft Word documents. After some quick research, I discovered that this was a new variant of the Agent Tesla spyware. I analyzed another sample of this spyware last June and published a blog about it. In this blog, I want to share what’s new in this new variant.
As you can see, it asks the victim to double click the blue icon to enable a “clear view.” Once clicked, it extracts an exe file from the embedded object into the system’s temporary folder and runs it. In this case, the exe file is called “POM.exe”.
In figure 3 we can see that the malware is written in the MS Visual Basic language. Based on my analysis, it’s a kind of installer program. When it runs, it drops two files: “filename.exe” and “filename.vbs” into the “%temp%\subfolder”. It then exits the process after executing the file “filename.vbs”. Below, in figure 4, is the content of “filename.vbs”.
To make it run automatically when the system starts, it adds itself (runs filename.vbs) to the system registry as a startup program. It then runs “%temp%\filename.exe”.
When “filename.exe” starts, like most other malware it creates a suspended child process with the same name to protect itself. It then extracts a new PE file from its resource to overwrite the child process memory. Afterwards, it resumes the execution of the child process. This is when it executes the code of that new PE file, which is the main part of this malware.
Let’s go on to the analysis of the child process. It first checks to see if the environment value of "Cor_Enable_Profiling" is set to 1, and if the modules "mscorjit.dll" and "clrjit.dll" have been loaded (see figure 6). If one of these checks is true, it exits the process without doing anything. So far, I have no idea what the purpose of doing that is, but it is likely anti-something.
If the process doesn’t exit, it loads a named resource. The resource name is "__", which is a string decrypted from a local variable. Afterwards, by calling the API functions “FindResource” and “LoadResource”, it can read the resource data to the process memory. Figure 7 shows the “__” resource in CFF Explorer. For sure, the data is encrypted.
By decrypting the “__” data, we obtain another PE file, which is a .Net framework program. This is to be loaded into the child process memory. It reads sections of the .Net program into memory according to the PE file headers, imports APIs defined in the import table for .Net programs, relocates offset of the function “_CorExeMain”, as well as builds the .Net framework running environment by calling several APIs. Finally, it jumps to the entry point of the .Net program where it later jumps to “_CorExeMain” – which is the entry point of all .Net programs – to execute this .Net program. You can see in figure 8 how it jumps to the “_CorExeMain” function.
In order to further analyze the .Net program, I dumped it from the child process memory into a local file. This allowed me to launch it independently rather than running it within the child process. This also allowed me to load it into the .Net program analysis tools to analyze it.
The dumped file has an incorrect PE header. I manually repaired it so that it can be executed, debugged, and parsed by .Net program analysis tools. Figure 8 shows the main function of the .Net program in an analysis tool.
As you may have already noticed, it uses some kind of code obfuscation technique to increase the difficulty of code analysis. In the following parts, you may see that some of the names of method, class, variable, etc. have been modified to make them understandable.
All the constant strings in the .Net program are encoded and saved within a large buffer, and every string is assigned an index. Whenever it needs to use the string, it calls a function with its string index to get the string. If the string is encoded, it throws the encoded string into another function to get it decoded. In figure 10 we can see that it reads the huge string into the big buffer—“Pkky9noglfauhKN1Fjq.QOZ4uWBaWw”.
“3172” is the string index.
“XtL6rF5GoidQVxdCxi.R6ybT342I” is the decoding function. After decoding, we get the string “True\x00\x00\x00\x00\x00\x00\x00\x00”. i.e. “True”.
When the main function is called, it first pauses 15 seconds by calling “Thread::Sleep()” function. This allows it to potentially bypass sandbox detection.
As my analysis in the previous blog showed, Agent Tesla is a spyware. It monitors and collects the victim’s keyboard inputs, system clipboard, screen shots of the victim’s screen, as well as collects credentials of a variety of installed software. To do that it creates many different threads and timer functions in the main function. So far, through my quick analysis, this version is similar to the older one. As I did not find much change, I won’t talk about it more here but simply refer you to the previous blog analysis.
However, the way of submitting data to the C&C server has changed. It used to use HTTP POST to send the collected data. In this variant, it uses SMTPS to send the collected data to the attacker’s email box.
Based on my analysis, the commands used in the SMTP method include “Passwords Recovered”, “Screen Capture”, and “Keystrokes”, etc. The commands are identified within the email’s “Subject” field. For example:
“System user name/computer name Screen Capture From: victim’s IP”
Here’s an example to show you how it sends the collected credential data to the attacker’s email address. Figure 10 shows the email content that will be sent out with my PC information along with the collected credentials. It enables an SSL function and uses TCP port 587. The “Body” field is the collected data in HTML format. The “Subject” field contains the command “Passwords Recovered" which tells the recipient that this email contains credentials.
The attacker registered a free zoho email account for this campaign to receive victims’ credentials. Figure 11, below, shows the SMTP server and its login information. You can see the attacker’s SMTP credential “UserName” and “Password” as well as the SMTP server.
As I explained above, the collected data in the mail body is in html format. I copied the html content into a local html file and was able to open it in the IE brower to see what the malware had harvested from my test enviroment. In figure 13, you can see the screenshot of my PC information along with the related credentials in an IE browser.
It also drops a daemon program from the .Net program’s resource named “Player” into the “%temp%” folder and run it up to protect “filename.exe” from being killed.
The daemon program’s name is made up of three random letters, as you can see in figure 15. It’s also a .Net program and its main purpose is very clear and simple. Figure 16 shows the daemon program’s entire code in an analysis tool.
You can see that the main function receives a command line argument (for this sample, it’s the full path to “filename.exe”.) and saves it to a string variable called “filePath”. It creates a thread, and in the thread function it checks to see if the file “filename.exe” is running in each 900 millisecond. It runs it again whenever the “filename.exe” is killed.
The file “PPSATV.doc” has been detected as “W32/VBKrypt.DWSS!tr”, and “POM.exe” has been detected as “W32/VBKrypt.DWSS!tr” by FortiGuard AntiVirus service.
We have informed Zoho of the email account which is being used in this AgentTesla campaign.
Random name daemon program