A recent cybersecurity analysis conducted by FortiGuard Labs sheds light on a sophisticated phishing campaign distributing a new variant of the notorious Agent Tesla malware. This malware, recognized for its utilization as a Remote Access Trojan (RAT) and data stealer in Malware-as-a-Service (MaaS) operations, continues to pose a significant threat. Despite Microsoft's release of patches for the CVE-2017-11882/CVE-2018-0802 vulnerability over five years ago, the campaign persists, with approximately 3,000 attacks observed daily at the IPS level.

Attack Vector and Initial Compromise:

The campaign initiates through a carefully crafted phishing email, leveraging the CVE-2017-11882/CVE-2018-0802 vulnerability to download and execute the Agent Tesla file on the victim's device. The attached Excel document, exploiting this vulnerability, contains malicious equation data executed in the background.

Agent Tesla Payload Module & Process Hollowing:

The payload module, a .Net program, employs obfuscation techniques, posing challenges for analysis. The malware's core module is run in a separate process, employing process hollowing as a protective measure to enhance survival on the victim's device. This module, referred to as the core module of Agent Tesla, is sourced from a separate resource and executed within the hollowed process.

Information Collection and Persistence:

Agent Tesla specializes in stealing sensitive information, including credentials, keylogging data, and screenshots from various applications, web browsers, email clients, FTP clients, VPN clients, instant messaging clients, and other software. To ensure persistence, the malware persists in collecting data even after system restarts or process termination.

Web Browsers:

"Opera Browser", "Yandex Browser", "Iridium Browser", "Chromium", "7Star", "Torch Browser", "Cool Novo", "Kometa", "Amigo", "Brave", "CentBrowser", "Chedot", "Orbitum", "Sputnik", "Comodo Dragon", "Vivaldi", "Citrio", "360 Browser", "Uran", "Liebao Browser", "Elements Browser", "Epic Privacy", "Coccoc", "Sleipnir 6", "QIP Surf", "Coowon", "Chrome", "Flock Browser", "QQ Browser", "IE/Edge", "Safari", "UC Browser", "Falkon Browser".

Email clients:

"Outlook", "ClawsMail", "IncrediMail", "FoxMail", "eM Client", "Opera Mail", "PocoMail", "Windows Mail App", "Mailbird", "The Bat!", "Becky!", "Eudora".

FTP clients:

"Flash FXP", "WS_FTP", "FTPGetter", "SmartFTP", "FTP Navigator", "FileZilla", "CoreFTP", "FtpCommander", "WinSCP".

VPN clients:

"NordVPN", "Private Internet Access", "OpenVPN",

IM client:

"Discord", "Trillian", "Psi/Psi+".

Others:

"Mysql Workbench", "\Microsoft\Credentials\", "Internet Download Manager", "JDownloader".

Keylogging

Agent Tesla calls the API SetWindowsHookEx() to set a keyboard hook to monitor low-level input events.

Evolution with ZPAQ Compression:

A new variant of Agent Tesla has been identified using ZPAQ compression in email attacks. This variant, delivered via a lure file, targets multiple email clients and nearly 40 web browsers. The ZPAQ compression format, known for its efficient compression ratio, introduces a new dimension to malware delivery, potentially aimed at bypassing security measures.

Exploiting Microsoft Excel Vulnerability:

Another aspect of the evolving threat environment is attackers exploiting Agent Tesla by abusing an outdated Microsoft Office vulnerability (CVE-2017-11882) via phishing attacks. The exploitation is triggered by decoy Excel documents attached to phishing emails, resulting in the activation of the malware. Additional files, including an obfuscated Visual Basic Script and a malicious JPG file, are downloaded as part of the infection chain.

IOCs

URLs:

Hxxp[:]//23[.]95.128.195/3355/chromium.exe

C2 Server List:

SMTP server @ mail.daymon.cc:587

Relevant Sample SHA-256:

[Order 45232429.xls]

FDC04DC72884F54A4E553B662F1F186697DAF14EF8A2DC367BC584D904C22638

[chromium.exe / dasHost.exe / downloaded file]

36B17C4534E34B6B22728DB194292B504CF492EF8AE91F9DDA7702820EFCFC3A

Conclusion:

The persistent threat of Agent Tesla underscores the need for continuous vigilance and timely patching of vulnerabilities. As threat actors evolve their tactics, incorporating new delivery mechanisms like ZPAQ compression and exploiting old vulnerabilities, organizations must stay updated on emerging cyber threats to safeguard their digital landscapes. The multifaceted nature of this malware, combining phishing, exploitation, and advanced data theft techniques, emphasizes the importance of a comprehensive cybersecurity strategy.