November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – Dridex Banking Trojan Active Again
September 26, 2019Rewterz Threat Alert – PowerShell Ransomware
September 26, 2019Rewterz Threat Alert – Dridex Banking Trojan Active Again
September 26, 2019Rewterz Threat Alert – PowerShell Ransomware
September 26, 2019
Severity
Medium
Analysis Summary
A recent Total Oil themed campaign being used to distribute the AgentTesla malware. The campaign begins with a phishing email masquerading as an order request from a Liberian oil company employee. Under this guise, the attacker attempts to convince a user to open a Word document and enable macro execution. If successful, an obfuscated VBA macro fulfils its purpose of decoding and executing a PowerShell script. The PowerShell script is responsible for de-obfuscating a C# source code snippet that is subsequently compiled and loaded within that PowerShell process. Once loaded, one of the methods within the C# code is invoked, specifically the one responsible for downloading and executing a malicious payload from a remote URL. This payload was identified to be a .NET loader. Prior to loading the malware, the loader performs a series of anti-sandbox and anti-debugging techniques to exit the program if any related conditions are met. If all checks pass, an executable embedded in the loader is run in a new thread. Analysis revealed that the loaded file is an Agent Tesla keylogger that has significant code overlap with the Hawkeye malware. After establishing persistence via a Registry Run key, the malware performs its ultimate goal of retrieving credentials stored within various applications, such as web browsers, FTP clients, and file downloaders. The malware is capable of using the .NET API to set up a mail client that is used for exfiltrating the harvested credentials to the attacker via SMTP.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
URLs
http[:]//www[.]handrush[.]com/wp-content/plugins/akismet/views/DurGhamPop[.]exe
Malware Hash (MD5/SHA1/SH256)
- 51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97
- 6b3bec68b760ac3f3f1b8a4668ac4bccde262ecdf1dc93a5329fa58eefdfb47b
- 72087f6eda897bd3deb31fa85cfbeda8eae4bad0d51a123f3e99ae8fb604a8c0
- 82213cd55fee5374e407b4b98c45d7b0d291682ec0fd91b3ea47c32752b54ab9
- a0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.