Summary:
Researchers uncovered a phishing campaign that serves as a delivery mechanism for a new variant of the notorious Agent Tesla malware. Agent Tesla is a well-known Remote Access Trojan (RAT) and data stealer that operates on the .Net framework, often utilized in the realm of Malware-as-a-Service (MaaS). This analysis delves into the intricacies of the campaign, from the initial phishing email to the actions of Agent Tesla on the victim's machine, including the exfiltration of sensitive data such as credentials, keylogs, and screen captures. The campaign initiates with a phishing email disguised as a Purchase Order notification, urging the recipient to confirm an order from an industrial equipment supplier. Attached to the email is an Excel document named "Order 45232429.xls." This Excel document is crafted in OLE format and contains equation data engineered to exploit the CVE-2017-11882/CVE-2018-0802 vulnerability, enabling the execution of a malicious shellcode.
Infection Flow
Upon opening the Excel document, a deceptive message is displayed to the user while the embedded shellcode runs surreptitiously. CVE-2017-11882/CVE-2018-0802 is a critical vulnerability that leads to memory corruption within the EQNEDT32.EXE process when processing the malicious equation data, ultimately resulting in arbitrary code execution. The malicious equation data overrides the stack of EQNEDT32.EXE and directs it to execute the hidden shellcode. This shellcode, once decrypted, is responsible for downloading and executing an additional malware file from a remote URL. The downloaded file ("dasHost.exe") is a .Net program protected by packers like IntelliLock and .NET Reactor. It extracts two fileless execution modules from .Net Resources the payload module of Agent Tesla and a Loader module for the payload. These modules are de-obfuscated, decrypted, and executed within the Loader module.
The core module of Agent Tesla operates in a separate process, a common tactic for malware to enhance its survival chances. The core module employs process hollowing to inject another decrypted executable file into a suspended process of "dasHost.exe." This core module is responsible for collecting sensitive information from the victim's device, including saved credentials from various software, keylogging data, and screenshots. Keylogging is achieved by setting a keyboard hook to monitor low-level input events. The victim's keystrokes and relevant information are recorded and stored in a local file, which is periodically submitted via SMTP. A Timer function checks for activity on the device and decides whether to capture and submit screenshots. The stolen data is submitted using the SMTP protocol.
This analysis underscores the exploitation of an aged security vulnerability in phishing emails to deliver Agent Tesla, highlighting the malware's persistence mechanisms and its capacity to pilfer sensitive data from infected systems, including credentials, keylogs, and screen captures. Several examples of this pilfered data are presented, illustrating how it is sent to the attacker via SMTP emails. The campaign exemplifies the resilience of Agent Tesla, as threat actors continue to exploit dated vulnerabilities, emphasizing the importance of timely patching and robust security measures to thwart such attacks.
Recommendations:
We Strongly recommend you apply the patch for the Microsoft Office memory corruption vulnerability.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882
Threat Profile:
References:
The following reports contain further technical details:
https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document