The turnout failed: we bring AgentTesla to clean water. Part 1

Recently, a European manufacturer of electrical equipment contacted Group-IB – its employee received a suspicious email with malicious attachment by mail. Ilya Pomerantsev, a malware expert at CERT Group-IB, conducted a detailed analysis of this file, found AgentTesla spyware there and told what to expect from such malware and how dangerous it is.

With this post, we are opening a series of articles on how to analyze such potentially dangerous files, and we are waiting for the most curious on December 5 for a free interactive webinar on the topic “Malware analysis: parsing real cases”. All the details are under the cut.

Distribution mechanism

We know that malware got into the victim’s machine through phishing emails. The recipient of the letter was probably put in a blind copy.

An analysis of the headers shows that the sender of the letter was forged. In fact, the letter has left vps56[.]oneworldhosting[.]com.

The attachment of the letter contains the WinRar archive qoute_jpeg56a.r15 with malicious executable QOUTE_JPEG56A.exe inside.

HPE ecosystem

Now let's see what the ecosystem of the malware under investigation looks like. The diagram below shows its structure and directions of interaction of the components.

Now consider each of the components of malware in more detail.

Loader

Original file QOUTE_JPEG56A.exe is compiled AutoIt v3 the script.

To obfuscate the source script, an obfuscator with similar PELock AutoIT-Obfuscator characteristics.
Deobfuscation is performed in three stages:

Obfuscation removal For-if
The first step is to restore the script control flow. Control Flow Flattening is one of the most common ways to protect application binary code from analysis. Confusing transformations dramatically increase the complexity of isolating and recognizing algorithms and data structures.
Line recovery
Two functions are used to encrypt strings:
- gdorizabegkvfca – Perform Base64-like decoding
- xgacyukcyzxz – simple byte XOR of the first line with the length of the second
Obfuscation removal BinaryToString and Execute

The main load is stored in a split form in the directory Fonts file resource sections.

The gluing procedure is as follows: TIEQHCXWFG, IME, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, Hwjho, AVZOUMVFRDWFLWU.

The WinAPI function is used to decrypt the extracted data. Cryptdecrypt, and the session key generated based on the value is used as the key fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.

The decrypted executable file is input to the function RunPEwhich carries out Processinject in RegAsm.exe using the built-in Shellcode (also known as RunPE ShellCode) The authorship belongs to the user of the Spanish forum indetectables[.]net under the nickname Wardow.

It is also worth noting that in one of the branches of this forum the obfuscator for AutoIt with similar properties identified during sample analysis.

Himself Shellcode quite simple and attracts the attention of only borrowed from the hacker group Anunak Carbanak. hash function of API calls.

We are also aware of use cases. Frenchy shellcode different versions.
In addition to the described functionality, we also revealed inactive functions:

Block manual completion of the process in the task manager
Restarting a child process if it ends
UAC Bypass
Saving payload to file
Demonstration of modal windows
Pending mouse cursor position
AntiVM and AntiSandbox
Self destruction
Downloading payload from the network

We know that such functionality is characteristic of the tread. CypherIT, which, apparently, is the bootloader under study.

VPO core module

Next, we briefly describe the main module of malware, and in more detail consider it in the second article. In this case, it is an application on .NET.

During the analysis, we found that an obfuscator was used ConfuserEX.

IELibrary.dll

The library is stored as a resource of the main module and is a well-known plugin for AgentTesla, which provides functionality for extracting various information from Internet Explorer and Edge browsers.

Agent Tesla is a modular espionage software distributed as malware-as-a-service under the guise of a legal keylogger product. Agent Tesla is able to extract and transmit user credentials from browsers, email clients and FTP clients to the server for attackers, register clipboard data, and capture the device’s screen. At the time of analysis, the official website of the developers was unavailable.

The entry point is the function GetSavedPasswords InternetExplorer class.

In general, the code execution is linear and does not contain means of protection against analysis. Attention deserves only the unrealized function GetSavedCookies. Apparently, the functionality of the plugin was supposed to be expanded, but this was never done.

Securing the bootloader in the system

We will study how the bootloader is fixed in the system. The test specimen does not fix, however, in similar events, it occurs according to the following scheme:

In the folder C: Users Public script is created Visual basic
Example script:
The contents of the bootloader file are padded with a null character and saved in the folder % Temp% <Произвольное имя папки><Имя файла>
An autorun key for the script file is created in the registry HKCU Software Microsoft Windows CurrentVersion Run <Имя скрипта>

So, according to the results of the first part of the analysis, we were able to establish the names of the families of all the components of the malware studied, analyze the infection scheme, and also obtain objects for writing signatures. We will continue to analyze this object in the next article, where we will examine the main module in more detail. AgentTesla. Do not miss!

By the way, on December 5, we invite all readers to a free interactive webinar on the topic “Malware analysis: analysis of real cases”, where the author of this article, a CERT-GIB specialist, will show the first stage of malware analysis in online mode – semi-automatic unpacking of samples using three real ones mini-cases from practice, and you can take part in the analysis. The webinar is suitable for specialists who already had experience in analyzing malicious files. Registration strictly from corporate mail: register. Waiting for you!