• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – TA505 APT Group – Latest IOCs
July 8, 2020
Rewterz Threat Advisory – Citrix ADC, Gateway and Citrix SD-WAN WANOP Multiple Security Vulnerabilities
July 9, 2020

Rewterz Threat Alert – Latest Agent Tesla Infection Chain

July 8, 2020

Severity

High

Analysis Summary

Researchers have found latest Agent Tesla malware, focusing on its newest infection chain, which uses a long and complex process to deliver the final payload. It starts with a phishing email with an RTF attachment. This RTF document contains file embedded OLE objects, which in turn each contain an OOXML package. Users are prompted by each of these objects to enable macros in order to execute the VBA code inside the OOXML packages. The VBA code is highly obfuscated to the point that it was unable to be analyzed by malware analysis tools. Manual debugging shows that, in combination, the VBA code parts build a PowerShell blob. This PowerShell is also obfuscated to hinder analysis. It has two purposes: bypass AMSI and download a file. The downloaded file is an Agent Tesla executable. It first establishes persistence via a scheduled task. It then disables task manager. Finally, it steal WiFi passwords and application credentials. These credentials are exfiltrated via SMTP using a hardcoded email address and password. The researchers note that a similar infection chain has been seen in the past, but it was previously distributing Lokibot. 

infection-flow-Diagram.jpg

Impact

  • Credential theft
  • Information theft

Indicators of Compromise

SHA-256

  • 840a22c718e33120f6e47c310497148ca903912a46458fbf9f21edc8976074ce
  • 842ad0c1407a7c87c9f76a7a55d56f36dfef501495f56dbad4d28f04b807b63a
  • b0f8dd641769a080b640dbaa2666b5982344642335372ee4680fa5a6e771991d
  • ce212984a9ed60ef6015bfb2f930a0f501a2f6f373c9fa68af54fe8f68d4de9e
  • c03f438d814bd52be15b47743b44519263aaeded731dcfac7e9070628a41d70a
  • 20ae23fa54d2f997c50f85b9977899255822fbe200e17d933b430561adcd1e12
  • 859a9f0c613775907c2cda4d946159e7991ee6f9be430fe5658e95e7e5a0388b
  • a60c7244206b635d18c244028c1b1dc4c07da716e0ff78529692bc667f117195
  • 2bbc9c51a29557cf8934de723236bf2f5683391d3d57d7d86410221d30b53bd3
  • 3fe1d15c026ad8fa1c510ac3d4982f38be59e84cef34119fff0aad6fad35bc54
  • f11ee07c633a0ad6a88ec9cb3e798dda02d6459b5eb35eb00d403d8445b0c554
  • 402f2be1b65ae460898ccbf47a475430cc5c64c548228481ad062934f6a85aa2
  • eec9b14da6a2745f089361002429d13b044d66dedf944e951b39f9d243ae3df9
  • 786f2eaa675e1ee953a159eb4a4ccb734b1adf16ede28dd7b801df9a612a4167
  • fd26d992e3014118d345027e8a3c482519d75ef0fda12241d244e3a80abeda67
  • 2f9d34c9752df5565c79ed5d0dab3e4c48f5c3de22f54180388a90e3e0b30c9a
  • d8be93b858f4ddfe0f6dab717e269665a56d862b86781da908fafa31be2ec509
  • 518eb357618f85a419cdeba49b45f8a98441a6a2df1edebb2376cd0a0e98f56f
  • 256777b273432143492346edc89f678e386cb4569e8fd48645e28245977f5856
  • 6d0636869e65966bbb79fb58a0af016e9af41420978a43b5c2eb1ed462a24724
  • a114858d777f74faafadca52424a9fca33426dc5f3c4777453348e359115ac6d
  • bf36d5e468b5c654a47ebf07b4a0ef9e192307674960f7fdf22d6e3cb3e85177
  • 6189ddb04b9bbb45474ed48c6685d316c06458da3d9b430727ade08cc344f235
  • dc1b5e7c4aeb32c2370fc03983502639d31c2c4fdecdb12b6248351daa38129a
  • d7f2a3ec1aae489bc44b7819ce6f4e5029282b8f8d2064fccfe1804278c38d11
  • d6779d721788c2826a9cd43cb01c3279c8aaca4a3210c5331125c08a9be32557
  • 1a8ee2fcf777abbcc6d3eda5a52f5cdb2269cc8a6e7e339b01c04d47138bb702
  • a16cdca08584f03a1deaefa94393914bb317e80bd2a2b9f5da7c0b4355a1fddd
  • 52f2e17287a2f975d30fdda43b44c67b5f70a168ccf97696b7d95a962d46dd7a
  • 167760bf97f12f6ef1d66ca2db17a5a0ed2d594f86f3d8716c83e7d66d502f3e
  • 0d873ad2a42333ee77bb18bb92c920afe94fe3c108de28fc4bb89901eb12161c
  • 8ac06f7b667d0ae9fc2e0940efba2d580af0dab54825275b7f85cb5ac37c6f05
  • e5ade604474407fc742a5b99996b1aae86695493eb71d5fc2478fb78238a0799
  • c4d7f76ca3ccc9a7f8763e4688cc2660a1164674f14c86fd384153b5e2fa566f
  • b2c6e93875ed9728da141566603ad47a71a82d3867313744ceca367158c2b20c
  • 356c459692775dae1f20998c5d39f51a4b94ac01de509fa609844eee8adab19f

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.