AhnLab Security Emergency response Center (ASEC) spotted the AgentTesla Infostealer being distributed through an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC. This blog post will provide an explanation of the distribution process, from the spam email to the final binary (AgentTesla), along with related techniques.
Figure 1 shows the body of the spam email distributing the AgentTesla malware. It deceives recipients by mentioning in the subject line that the email was sent from an alternative email account and then encourages them to execute the malicious file (.BAT). As shown in Figure 2, the attached zip (compressed) file contains a batch script file (.BAT). The BAT file is a type of script file that is run by the Windows application cmd.exe when executed.
Figure 1. Body of the phishing email
Figure 2. Malicious script (.bat) inside the attached zip file
Figure 3 is the obfuscated BAT script file. As shown in the EDR detection screen in Figure 4, the BAT file copies itself using the xcopy command when executed. Additionally, it disguises a normal powershell.exe with a png extension and copies it.
Figure 3. Malicious BAT file
Figure 4. xcopy command executed via cmd.exe (EDR showing the BAT file being copied along with powershell.exe which has been disguised with a png extension)
Afterward, it executes PowerShell commands through powershell.exe (Lynfe.png) which has been disguised with a png extension. As depicted in Figure 5, the EDR detection screen displays the PowerShell process name as a process with the png extension (Lynfe.png), and it is this process that executes the PowerShell commands.
Figure 5. EDR displaying the PowerShell script that was executed via cmd.exe
Figure 6 is the decoded PowerShell commands. The PowerShell commands decode (gzip, reverse) the data encoded within the BAT file, create a DLL payload, and load it into the PowerShell process. As shown in Figure 7, the loaded DLL executes the decoded shellcode, which, in turn, performs additional decoding routines and ultimately runs the AgentTesla malware in the memory.
Figure 6. Decoded PowerShell commands that load the .NET DLL encoded within the BAT file
Figure 7. .NET DLL feature that executes the decoded shellcode
Figure 8 shows the feature of the AgentTesla malware, which is ultimately executed by the PowerShell process (Lynfe.png). This feature is responsible for stealing account credentials from a specific browser (Edge). It collects account credential-related data through various paths in this manner, and Table 1 provides a glimpse of the collection paths for the stolen information.
Figure 8. Account credential-stealing feature of the final payload, AgentTesla
|
A Portion of Collection Paths for Account Credential-related Data |
| “Sputnik\Sputnik\User Data” “Elements Browser\User Data” “\NETGATE Technologies\BlackHawk\” “BraveSoftware\Brave-Browser\User Data” “\Waterfox\” “uCozMedia\Uran\User Data” “Opera Software\Opera Stable” “Microsoft\Edge\User Data” “\Comodo\IceDragon\” “CatalinaGroup\Citrio\User Data” “7Star\7Star\User Data” “Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer” “Yandex\YandexBrowser\User Data” “\Thunderbird\” “Chedot\User Data” “Iridium\User Data” “Kometa\User Data” “Chromium\User Data” “QIP Surf\User Data” “\Mozilla\Firefox\” “\Mozilla\SeaMonkey\” “\K-Meleon\” “liebao\User Data” “CocCoc\Browser\User Data” “\Mozilla\icecat\” “Amigo\User Data” “Vivaldi\User Data” “Orbitum\User Data” “MapleStudio\ChromePlus\User Data” “360Chrome\Chrome\User Data” “Google\Chrome\User Data” “Comodo\Dragon\User Data” “Epic Privacy Browser\User Data” “\Flock\Browser\” “\Postbox\” “Coowon\Coowon\User Data” “\Moonchild Productions\Pale Moon\” “\8pecxstudios\Cyberfox\” “Torch\User Data” “CentBrowser\User Data” |
Table 1. A portion of collection paths for account credential-related data
In Figure 9, which is the EDR detection screen for infostealing behavior, you can see that the PowerShell process disguised as a png file accessed the account credential within a browser.
Figure 9. EDR showing evidence of AgentTesla’s account credential theft
After stealing information, AgentTesla, which is running within the PowerShell process (Lynfe.png), transfers the collected data to an FTP server controlled by the threat actor, as depicted in Figure 10.
Figure 10. The feature of the final payload, AgentTesla, to transfer stolen information to a C2 via FTP
Using EDR’s evidence data, we explained the infection flow of AgentTesla Infostealer that is being distributed through spam emails. The threat actor employed a sophisticated fileless technique that does not create an EXE file and cunningly disguised the distribution email by writing in the subject line that the email had been sent from an alternative email account. It is essential to exercise caution when opening attachments and ensure that there is no extension present that is capable of executing malware. Additionally, continuous monitoring using security products is crucial for detecting and controlling unauthorized access from threat actors.
[Behavior Detection]
CredentialAccess/EDR.Event.M11362
[File Detection]
Trojan/BAT.Agent.SC192347
[IOC]
6d9821bc1ca643a6f75057a97975db0e
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Infostealer Being Distributed via Spam Email (AgentTesla) appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/57546/