• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Dridex Banking Trojan Active Again
September 26, 2019
Rewterz Threat Alert – PowerShell Ransomware
September 26, 2019

Rewterz Threat Alert – AgentTesla Total Oil Themed Campaign

September 26, 2019

Severity

Medium

Analysis Summary

A recent Total Oil themed campaign being used to distribute the AgentTesla malware. The campaign begins with a phishing email masquerading as an order request from a Liberian oil company employee. Under this guise, the attacker attempts to convince a user to open a Word document and enable macro execution. If successful, an obfuscated VBA macro fulfils its purpose of decoding and executing a PowerShell script. The PowerShell script is responsible for de-obfuscating a C# source code snippet that is subsequently compiled and loaded within that PowerShell process. Once loaded, one of the methods within the C# code is invoked, specifically the one responsible for downloading and executing a malicious payload from a remote URL. This payload was identified to be a .NET loader. Prior to loading the malware, the loader performs a series of anti-sandbox and anti-debugging techniques to exit the program if any related conditions are met. If all checks pass, an executable embedded in the loader is run in a new thread. Analysis revealed that the loaded file is an Agent Tesla keylogger that has significant code overlap with the Hawkeye malware. After establishing persistence via a Registry Run key, the malware performs its ultimate goal of retrieving credentials stored within various applications, such as web browsers, FTP clients, and file downloaders. The malware is capable of using the .NET API to set up a mail client that is used for exfiltrating the harvested credentials to the attacker via SMTP.

Impact

  • Credential theft
  • Exposure of sensitive information

Indicators of Compromise

URLs

http[:]//www[.]handrush[.]com/wp-content/plugins/akismet/views/DurGhamPop[.]exe

Malware Hash (MD5/SHA1/SH256)

  • 51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97
  • 6b3bec68b760ac3f3f1b8a4668ac4bccde262ecdf1dc93a5329fa58eefdfb47b
  • 72087f6eda897bd3deb31fa85cfbeda8eae4bad0d51a123f3e99ae8fb604a8c0
  • 82213cd55fee5374e407b4b98c45d7b0d291682ec0fd91b3ea47c32752b54ab9
  • a0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.