Rewterz Threat Alert – Lebanese Cedar APT Targeting Organizations in Middle East and Beyond

February 2, 2021

Rewterz Threat Alert – Linux malware Hijacking Supercomputers Across the Globe

February 3, 2021

Rewterz Threat Alert – Agent Tesla Malware Using New Delivery and Evasion Techniques

February 3, 2021

Severity

High

Analysis Summary

New delivery and evasion techniques have been adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. It also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server. Two versions of Agent Tesla — version 2 and version 3 — have been found currently in the wild. Agent Tesla’s constant evolution is designed to make a sandbox and static analysis more difficult. This is also meant to improve the success rate of the malware against sandbox defenses and malware scanners, and to provide more C2 options to their attacker customers.

Additional features have been incorporated over time that allow it to monitor and collect the victim’s keyboard input, take screenshots, and exfiltrate credentials belonging to a variety of software such as VPN clients, FTP and email clients, and web browsers.

Agent Tesla now attempts to modify code in AMSI in a bid to skip scans of malicious payloads fetched by the first-stage downloader, which then grabs obfuscated base64-encoded code from Pastebin (or Hastebin) that acts as the loader for the Agent Tesla malware.

Furthermore, to achieve persistence, the malware copies itself to a folder and sets that folder’s attributes to “Hidden” and “System” in order to conceal it from view in Windows Explorer. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised.

Impact

Credential Theft
Information Theft
Data Exfiltration
Detection Evasion

Indicators of Compromise

MD5

5c2d611f489645bb8c8f5cbe242dfaf6
90c9f4e084129f1fa5d049c541659040
1423abbed0592827d03f0f9a874e5c7f
7c5e768c2bd67a5aa972545713ece159
ed8c39da5e9203d323c43b4a24dc4a05
e6f3405f7d1577edbf08f1b53860726a
69aa062631b0f34457946caab856ca36
80d26a06ca5e124952c061e45abb7372
27f4f0195698c08368094d04d2a1636f
2e7189468b92cbf4856c2125eb0b9f38
40712159728484961a4877b7aebcf9c4
10ddf8f5230f9781bbf7695da59226cd
5f082cf46f14d525157b1269992192b0
625c295bc0cb89c6c72977620589e73a
80f33f93e2d6866a8d42db2f98e86e98
1c986a692567e1322cadcc40f26e6a98
17bab5b62a5bb7e8b2e55b99f43316da
0a0576c3932b07c6f7dcd3bed825fc04
3b5082e38db89105b8ad73a0293dd597
fc73a0553b04f6dd25a3cb0788bafa0c

SHA-256

2f9ff6d0d81c7583ca4baa344964826b261d77b1529c72f506e42a2ba9aca322
14f9fbded0f329afdf5aa4ab3e5579e02eb6de0a62059241c35094a06adb5823
31bf9fd5d1da4444425d7bae26573e211973a4b0e084a1bd2789b4352c0c6b2a
acf1fca2b9cf0167636bf0d6c2d1c615242ed38f220edce9c894f0709c582b4c
692470a3fb13194e002519812178d5a5f95e304965dc6bb713ec54e8cfb050bb
adc5fa3993d299a68a8505beb8eb1a9cc278eb4aca4140cd48403b23f7a5c9a9
d720d5e55684cbf894809d5963e95d6613af588bfaeb0ecfa6001beb533d0232
d89bb6cb8e3dbc902d6b50dc3fa82bf46dd031597b9a9fca426c9b37f73c5fa6
f10ddd85c63a0381ac6fe2695eb8f62696b53b8a9bf85fd1fafb98210e411012
d16ef5665f424549664067281a16d00a497cb7c9def17be02ad609686f5959ff
5b2f1ddba07f4daac1dc624706048ee3e8939e9b48771ec821d5b85a5f7e10c6
9978c88787881d5683f4e139000a9e1b7ab2046cb44c61a41a9446945a0ee880
c0320eb242a97e9bb6d424162516bf2d740aad52b030730092f4c937a6f61548
2c6b6f4d52a343c5ab522dba5843c056f1451b68d8fefef9d2b6833fadfa5b80
9219fa2bb3d0927e0b6a90653ebdaf501b268f2989a330227cac81e5687bad1e
fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2
186d740661da6db7dc36976d8214442c6abe585e57cc27d7c9cb00f9fbe91e14
2a5abaac43855eba69f0604c77707c72d197c3b3118d458f2a944f371bc65fdd
0a500592582f35f80169c870dccc416eaf9778f7ec0a43d343764a764222f036
3d3660afdbabdc621091ece30c3735e90588abd23d8c7d3e5608a2a184902b20

SHA1

16cb10bbe64dbda70f39eefcf4f90dd59e60c026
f77cb31924676252f281bf425bda64a46a8c08b5
d6de3eb93cc8eece2ba1c6daf3784cddc404f93d
627838b22c6ee3bdd4618575b712eb5257a88c04
813157e4bfc27dab301df3cae51840508a871f8f
0ab199b0f3434d6be1e754aec2cf4bba826a3f51
d400059530e14fae4642538a7a44a77a4a69ae24
ef1ae03031cca8a61a25e374e754f26995b2ee4c
fd3f701f13285d136a720eadc84dffee5fbd6700
9df0830f4d9b0387c204aafea78c90a4e167b8a4
4858876fe2f063f76967c3db7e64a17255a6f645
d9731eb63ca3f4d067b4531cd1496ea2e3615138
c410f8433ecb2e4025157dd376ba864429b201b9
5615f3753116f2daea0eade4610b379955178b4d
14b91bb01e850e20fa7b2e4002e46af801351a8b
a482c554d1968bc510d3d0e6466a9bf73797b128
b08482380348a90d55eb20cdcfb6094369262588
76588a86b1d9898f2bdb1dcac42642ff0c9833b2
8b65ae26ffd7d9def25f0c1eaaefbc055fecf909
b83cdbb0127f2417a4651b81298085c6de4ce102

Remediation

Block the threat indicators at their respective controls.
Do not download files attached in untrusted emails, even if the sender’s email address looks legitimate.
Do not download files from untrusted sources on the internet.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us