Rewterz Threat Alert – Lebanese Cedar APT Targeting Organizations in Middle East and Beyond
February 2, 2021Rewterz Threat Alert – Linux malware Hijacking Supercomputers Across the Globe
February 3, 2021Rewterz Threat Alert – Lebanese Cedar APT Targeting Organizations in Middle East and Beyond
February 2, 2021Rewterz Threat Alert – Linux malware Hijacking Supercomputers Across the Globe
February 3, 2021Severity
High
Analysis Summary
New delivery and evasion techniques have been adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. It also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server. Two versions of Agent Tesla — version 2 and version 3 — have been found currently in the wild. Agent Tesla’s constant evolution is designed to make a sandbox and static analysis more difficult. This is also meant to improve the success rate of the malware against sandbox defenses and malware scanners, and to provide more C2 options to their attacker customers.
Additional features have been incorporated over time that allow it to monitor and collect the victim’s keyboard input, take screenshots, and exfiltrate credentials belonging to a variety of software such as VPN clients, FTP and email clients, and web browsers.
Agent Tesla now attempts to modify code in AMSI in a bid to skip scans of malicious payloads fetched by the first-stage downloader, which then grabs obfuscated base64-encoded code from Pastebin (or Hastebin) that acts as the loader for the Agent Tesla malware.
Furthermore, to achieve persistence, the malware copies itself to a folder and sets that folder’s attributes to “Hidden” and “System” in order to conceal it from view in Windows Explorer. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised.
Impact
- Credential Theft
- Information Theft
- Data Exfiltration
- Detection Evasion
Indicators of Compromise
MD5
- 5c2d611f489645bb8c8f5cbe242dfaf6
- 90c9f4e084129f1fa5d049c541659040
- 1423abbed0592827d03f0f9a874e5c7f
- 7c5e768c2bd67a5aa972545713ece159
- ed8c39da5e9203d323c43b4a24dc4a05
- e6f3405f7d1577edbf08f1b53860726a
- 69aa062631b0f34457946caab856ca36
- 80d26a06ca5e124952c061e45abb7372
- 27f4f0195698c08368094d04d2a1636f
- 2e7189468b92cbf4856c2125eb0b9f38
- 40712159728484961a4877b7aebcf9c4
- 10ddf8f5230f9781bbf7695da59226cd
- 5f082cf46f14d525157b1269992192b0
- 625c295bc0cb89c6c72977620589e73a
- 80f33f93e2d6866a8d42db2f98e86e98
- 1c986a692567e1322cadcc40f26e6a98
- 17bab5b62a5bb7e8b2e55b99f43316da
- 0a0576c3932b07c6f7dcd3bed825fc04
- 3b5082e38db89105b8ad73a0293dd597
- fc73a0553b04f6dd25a3cb0788bafa0c
SHA-256
- 2f9ff6d0d81c7583ca4baa344964826b261d77b1529c72f506e42a2ba9aca322
- 14f9fbded0f329afdf5aa4ab3e5579e02eb6de0a62059241c35094a06adb5823
- 31bf9fd5d1da4444425d7bae26573e211973a4b0e084a1bd2789b4352c0c6b2a
- acf1fca2b9cf0167636bf0d6c2d1c615242ed38f220edce9c894f0709c582b4c
- 692470a3fb13194e002519812178d5a5f95e304965dc6bb713ec54e8cfb050bb
- adc5fa3993d299a68a8505beb8eb1a9cc278eb4aca4140cd48403b23f7a5c9a9
- d720d5e55684cbf894809d5963e95d6613af588bfaeb0ecfa6001beb533d0232
- d89bb6cb8e3dbc902d6b50dc3fa82bf46dd031597b9a9fca426c9b37f73c5fa6
- f10ddd85c63a0381ac6fe2695eb8f62696b53b8a9bf85fd1fafb98210e411012
- d16ef5665f424549664067281a16d00a497cb7c9def17be02ad609686f5959ff
- 5b2f1ddba07f4daac1dc624706048ee3e8939e9b48771ec821d5b85a5f7e10c6
- 9978c88787881d5683f4e139000a9e1b7ab2046cb44c61a41a9446945a0ee880
- c0320eb242a97e9bb6d424162516bf2d740aad52b030730092f4c937a6f61548
- 2c6b6f4d52a343c5ab522dba5843c056f1451b68d8fefef9d2b6833fadfa5b80
- 9219fa2bb3d0927e0b6a90653ebdaf501b268f2989a330227cac81e5687bad1e
- fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2
- 186d740661da6db7dc36976d8214442c6abe585e57cc27d7c9cb00f9fbe91e14
- 2a5abaac43855eba69f0604c77707c72d197c3b3118d458f2a944f371bc65fdd
- 0a500592582f35f80169c870dccc416eaf9778f7ec0a43d343764a764222f036
- 3d3660afdbabdc621091ece30c3735e90588abd23d8c7d3e5608a2a184902b20
SHA1
- 16cb10bbe64dbda70f39eefcf4f90dd59e60c026
- f77cb31924676252f281bf425bda64a46a8c08b5
- d6de3eb93cc8eece2ba1c6daf3784cddc404f93d
- 627838b22c6ee3bdd4618575b712eb5257a88c04
- 813157e4bfc27dab301df3cae51840508a871f8f
- 0ab199b0f3434d6be1e754aec2cf4bba826a3f51
- d400059530e14fae4642538a7a44a77a4a69ae24
- ef1ae03031cca8a61a25e374e754f26995b2ee4c
- fd3f701f13285d136a720eadc84dffee5fbd6700
- 9df0830f4d9b0387c204aafea78c90a4e167b8a4
- 4858876fe2f063f76967c3db7e64a17255a6f645
- d9731eb63ca3f4d067b4531cd1496ea2e3615138
- c410f8433ecb2e4025157dd376ba864429b201b9
- 5615f3753116f2daea0eade4610b379955178b4d
- 14b91bb01e850e20fa7b2e4002e46af801351a8b
- a482c554d1968bc510d3d0e6466a9bf73797b128
- b08482380348a90d55eb20cdcfb6094369262588
- 76588a86b1d9898f2bdb1dcac42642ff0c9833b2
- 8b65ae26ffd7d9def25f0c1eaaefbc055fecf909
- b83cdbb0127f2417a4651b81298085c6de4ce102
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails, even if the sender’s email address looks legitimate.
- Do not download files from untrusted sources on the internet.