• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – CoronaVirus Update App Leads to Spying on Users
April 20, 2020
Rewterz Threat Alert – Python RAT uses COVID-19 lures to target public and private sectors
April 21, 2020

Rewterz Threat Alert – New AgentTesla variant steals WiFi credentials

April 20, 2020

Severity

Medium

Analysis Summary

AgentTesla is known for stealing data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. A new addition to this toolkit is the capability to steal WiFi profiles. In the past 2 months, it was actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents. The executable (ReZer0V2) also has a resource that is encrypted. After doing several anti-debugging, anti-sandboxing, and anti-virtualization checks, the executable decrypts and injects the content of the resource into itself. The second payload (owEKjMRYkIfjPazjphIDdRoPePVNoulgd) is the main component of AgentTesla that steals credentials from browsers, FTP clients, wireless profiles, and more. To collect wireless profile credentials, a new “netsh” process is created by passing “wlan show profile” as argument. Available WiFi names are then extracted by applying a regex: “All User Profile * :  (?<profile>.*)”, on the stdout output of the process. In addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients, browsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and adds them to a list. Collected information forms the body section of a SMTP message in html format:

figure8.png

Here’s the entire workflow: 

Basic-Activity-Diagram-scaled-e1586884591811-438x600.jpeg

Since AgentTesla added the WiFi-stealing feature, the threat actors may be considering using WiFi as a mechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to set the stage for future attacks.

Impact

  • Infection spreads over WiFi 
  • Information Theft

Indicators of Compromise

MD5

  • 5275b7d0d97df5857a820e7f28db72e7
  • 6ad753acec14769574d89e618e048fb8

SHA-256

  • dd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044
  • 27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b

Remediation

  • Block the threat indicators at respective controls. 
  • Strictly avoid downloading unexpected email attachments.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.