Don't Phish Bob!

0.0 Preface

Agent Tesla, a Remote Access Trojan (RAT) that first surfaced in 2014 and spread via phishing techniques, has hit an activity trend peak again recently with its newly enhanced variants. Public resources show signs of this malware being used to target Australian businesses, the travel industry, and more from recently discovered campaigns:

• https://www.darkreading.com/remote-workforce/thousands-of-australian-businesses-targeted-with-agent-tesla-rat

• https://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry

• https://www.hyas.com/blog/agent-tesla-unmasked-revealing-interrelated-cyber-campaigns

0.1 Context

On the 2024/05/12, a beautiful Sunday, Bob Doe from the Clean Factory project received an email. Without too much thinking Bob downloaded and clicked on the attachment from that email, however, no window shows up. It seems like the attachment was not "functioning" and could be broken!

A few minutes later, Bob's PC's fan voice went up and sounded like a train going full steam ahead. At this moment, he knows something was not right and contacted team Unauthorized for an investigation and response actions.

This investigation will involve the Elastic search SIEM for log investigation from the potentially compromised machine, and process monitor from sysinternals to investigate local processes on a Flare VM malware analysis machine by executing the malware in a isolated environment. The ANY.RUN online sandbox will also be used.

1.0 Investigation

Team Unauthorized started the investigation by trying their luck on a Sunday night by opening the VBS payload in Visual Studio Code editor, but finding everything was heavily obfuscated. The team then moved on.

From the SIEM side, ELK shows evidence of the VBS payload being executed by WScript.exe. We know that Bob is indeed in trouble.

The team has found a big chunk of obfuscated PowerShell commands spawned by the phishing payload. By reading the end of the line "$codigo.replace('DgTre', 'A')" we know that, all "DgTre" must be replaced with "A", after this we should be getting the Base64 string and will be able to decode it.

After some de-obfuscation cunning in PowerShell and CyberChef, we have the actual payload now!

The PowerShell command appears to execute its second stage payload directly into the PowerShell memory and the payload.....emmmm

Is the command actually fully decoded? Sneaky rascal!

After more PowerShell magic was carried out we are getting a URL that points to the attacker's second stage payload, and an attacker associated domain:

• hxxp://192[.]3[.]101[.]142//europefridayedatingloverforchildern.txt

• uploaddeimagens[.]com[.]br

Not a surprise that both locations are recognized by public threat intelligence as malicious. And by retrieving the second stage payload on 192[.]3[.]101[.]142 in a sandbox, we see more and more heavily obfuscated scripts:

However, the image file appears to be innocent in this case. You won't really embed code into the image like you are playing a CTF right Mr. Hacker?

Moving back to the SIEM we can see a DLL was loaded, clr.dll, which is the .NET Runtime DLL file. This is the core DLL needed for .NET applications to execute and it is clear that the second stage payload is a piece of .NET malware.

Following the process tree, we have identified AddInProcess32.exe from the .NET Framework was spawned by the second stage .NET payload.

A DNS query towards ip-api.com (45[.]125[.]247[.]123) was invoked by the AddInProcess32.exe, and we have also found evidence of DLL loading of vaultcli.dll.

Now, let's brain storm or read my previous post. What does malware loading vaultcli.dll imply?

At this stage, team Unauthorized has reached a wall. We know that the attacker has moved to the their second stage payload, and that payload was executed spawning another .NET process and it is ready to harvest credentials.

But why is there no more activity in ELK?!

The log flow is running without issue, so what is wrong!?

1.1 Unpacking The Mystery

Team Unauthorized never give up on their research!

We moved on from the investigating in the SIEM and transferred the payload into our Flare VM, which is another component of the Clean Factory lab project. This is a completely isolated VLAN that dedicates its life to malware analysis and traffic from this VLAN is strictly controlled by our firewall. Nothing bad gets through!

By reading through the process information, indeed we are seeing more than we can in the SIEM environment. We are seeing massive amount of local information discovery through querying the registry now.

The majority of queried components are DNS settings and the network interface settings on the Flare VM. However, we are still not seeing exfiltration-looking traffic or the credential access activity that every Unauthorized team member is expecting to see.

A step-by-step review of each step that the team performed for analysis was carried out as well as a review of all of the known activity conducted by the payloads.

The primary suspect is an anti-VM technique, which is the only thing in common across all of the lab machines. The local discovery behavior also supports this speculation as there was discovery carried out to see if certain files exist (e.g. C:\Windows\System32\VirtualBox) and queries for system information (e.g. Network Adaptor/Memory Sizes/Hard Disk Sizes). Malicious processes can determine if the compromised system is a virtual machine or not which can change its workflow accordingly.

Restricted network connections were also considered, however, it should not be the root cause since Bob's machine is able to connect to the WAN through the Domain Controller and firewall.

Further research shows that anti-VM behaviour is not necessarily associated with anti-sandboxing, they don't always go as a combo!

At this stage the team has chosen Any.Run Sandbox to see if that is the solution we are looking for.

And boom! We are able to see more activity now!

1.2 Revenge For Bob!

By analyzing the newly seen activity, we have found the malicious .NET process is associated with AgentTesla, and has harvested the following local browser and email credentials:

• \AppData\Roaming\Mozilla\Firefox\profiles.ini

• \AppData\Roaming\Mozilla\SeaMonkey\profiles.ini

• \AppData\Roaming\Mozilla\icecat\profiles.ini

• \AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json

• \AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db

• \AppData\Roaming\Thunderbird\profiles.ini

• \AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

• \AppData\Roaming\Comodo\IceDragon\profiles.ini

• \AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini

• \AppData\Roaming\K-Meleon\profiles.ini

• \AppData\Roaming\Waterfox\profiles.ini

• \AppData\Roaming\Postbox\profiles.ini

• \AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

• \AppData\Roaming\Flock\Browser\profiles.ini

• \AppData\Local\Comodo\Dragon\User Data

• \AppData\Local\Epic Privacy Browser\User Data

• \AppData\Local\Kometa\User Data

• \AppData\Local\Coowon\Coowon\User Data

• \AppData\Local\Elements Browser\User Data

• \AppData\Local\Google\Chrome\User Data\Default\Login Data

• \AppData\Local\Amigo\User Data

• \AppData\Local\liebao\User Data

• \AppData\Local\BraveSoftware\Brave-Browser\User Data

• \AppData\Local\Chedot\User Data

• \AppData\Local\Orbitum\User Data

• \AppData\Local\Sputnik\Sputnik\User Data

• \AppData\Local\CentBrowser\User Data

• \AppData\Local\Yandex\YandexBrowser\User Data

• \AppData\Local\CatalinaGroup\Citrio\User Data

• \AppData\Local\Iridium\User Data

• \AppData\Local\Torch\User Data

• \AppData\Local\Chromium\User Data

• \AppData\Local\7Star\7Star\User Data

• \AppData\Local\MapleStudio\ChromePlus\User Data

• \AppData\Local\QIP Surf\User Data

• \AppData\Local\Vivaldi\User Data

• \AppData\Local\uCozMedia\Uran\User Data

• \AppData\Local\CocCoc\Browser\User Data

• \AppData\Local\Microsoft\Edge\User Data

• \AppData\Local\Microsoft\Edge\User Data\Default\Login Data

• \AppData\Local\Tencent\QQBrowser\User Data

• \AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage

• \AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail

• \AppData\Roaming\Claws-mail

• \AppData\Local\VirtualStore\Program Files\Foxmail\mail

• \AppData\Roaming\Pocomail\accounts.ini

• \AppData\Roaming\Trillian\users\global\accounts.dat

• \AppData\Roaming\Opera Mail\Opera Mail\wand.dat

Not only files, the payload also touched the registry, discovering Internet Settings and the Outlook profile:

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000006

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD

The following host information was also queried by the malware:

• HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS -> Supported Languages

• HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME -> Computer Name

• HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION -> Environment Value

• HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY -> Machine GUID

Afterwards, dumped credentials were exfiltrated via FTP to the attacker controlled server at 89[.]37[.]143[.]245.

The credentials were packed into a HTML file and named as PW_admin-USER-PC_2024_05_11_04_33_31.html, then saved onto the attacker's FTP server.

Furthermore, this variant of the AgentTesla payload could have been designed in a better and more secure way. The FTP credentials (redacted) are clearly visible.

This is a big oops! Bob we can get revenge for you mate!

The destination appears to be running a Pure-FTPd privsep FTP server, and by using OSINT and reading his credentials we have found the attacker domain ftp[.]folder[.]ro.

No persistence techniques were discovered and the AgentTesla payload did not spread in the network.

1.3 Summary

Team Unauthorized has identified the following techniques that were used by the early VBS phishing payloads, and its second stage payload, by analyzing it within the CleanFactory testing environment:

• T1059.001 - Command and Scripting Interpreter: PowerShell

• T1027.010 - Obfuscated Files or Information: Command Obfuscation

• T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File

• T1105 - Ingress Tool Transfer

• T1564.003 - Hide Artifacts: Hidden Window

• T1012 - Query Registry

• T1497.001 - Virtualization/Sandbox Evasion: System Check

• T1082 - System Information Discovery

• T1518.001 - Software Discovery: Security Software Discovery

• T1132.002 - Data Encoding: Non-Standard Encoding

Furthermore, at the late stage of AgentTesla associated activities, we have identified the following techniques involved:

• T1071.002 - Application Layer Protocol: File Transfer Protocols

• T1555.003 - Credentials From Password Stores: Credentials From Web Browsers

• T1552.001 - Unsecured Credentials: Credentials In Files

• T1114.001 - Email Collection: Local Email Collection

• T1082 - System Information Discovery

• T1016.001 - System Network Configuration Discovery: Internet Connection Discovery

2.0 Threat Hunting

In this section, threat hunting queries are provided based on the SentinelOne syntax and will be separated into two sections, IOC and Behavior.

We trust that translating them into other EDR/SIEM queries should not be a challenge for you. If you do need support, this online resource could lead you in the right direction.

Upcoming: Unauthorized has planned on a project to share its Threat Hunting queries from multiple common query languages besides SentinelOne to provide easy references. Currently the project is planned to cover the following query languages:

• SentinelOne Query / SentinelOne PowerQuery

• Elastic Search Query

• Sigma Detection Rule

2.1 IOC Hunting

-- IOC Hash
#hash == "1c31b45b07f429dd0296160da45db469a64a7e2661fd8488971519d1afa88b0f"

-- IOC IP
#ip in ("192.3.101.241", "89.37.143.245")

-- IOC DNS Requests
#dns in ("ftp.folder.ro", "uploaddeimagens.com.br")

-- IOC Web Requests
url.address contains:anycase ("ftp.folder.ro", "uploaddeimagens.com.br")

2.2 Behavior Hunting

-- Potentially Suspicious ip-api.com DNS Query
event.dns.request == "ip-api.com"

-- Potentially Suspicious VBS Script Execution From Download Folder
src.process.parent.name in:anycase ("wscript.exe", "cscript.exe") AND src.process.parent.cmdline matches:anycase "\\\\Downloads\\\\"

-- Potentially Suspicious VBS Execution Spawned From Outlook Email Client
src.process.parent.name == "outlook.exe" AND src.process.name in:anycase ("wscript.exe", "cscript.exe")

-- Potentially Suspicious Long CLI Command Execution That Contains Encoding Parameters or Hidden Window Parameters
| filter(src.process.name in:anycase ("powershell.exe", "powershell_ise.exe", "pwsh.exe", "cmd.exe") AND len(src.process.cmdline) > 2000 AND src.process.cmdline contains:anycase ("[system.Text.encoding]", "Base64", "-windowstyle hidden", "-noprofile", "-executionpolicy bypass") AND !(src.process.cmdline contains:anycase "\Windows Defender Advanced Threat Protection"))
| group result = count() by Host = endpoint.name, User = src.process.user, SrcCmdline = src.process.cmdline

-- Potentially Reversed HTTP Request From Command Line
#cmdline matches:anycase "[\\d]+\.[\\d]+\.[\\d]+\.[\\d]+////:ptth\\s*"

-- Potentially Credential / User Info Related Uncommon Browser / Mail Client File Operation
tgt.file.path matches:anycase ("\\\\icecat\\\\", "\\\\Comodo\\\\", "\\\\K-Meleon\\\\", "\\\\Waterfox\\\\", "\\\\Postbox\\\\", "\\\\8pecxstudios\\\\", "\\\\Flock\\\\", "\\\\Kometa\\\\", "\\\\Coowon\\\\", "\\\\Elements Browser\\\\", "\\\\Amigo\\\\", "\\\\liebao\\\\", "\\\\Chedot\\\\", "\\\\Orbitum\\\\", "\\\\Sputnik\\\\", "\\\\CentBrowser\\\\", "\\\\Yandex\\\\", "\\\\CatalinaGroup\\\\", "\\\\Iridium\\\\", "\\\\Torch\\\\", "\\\\7Star\\\\", "\\\\MapleStudio\\\\", "\\\\QIP Surf\\\\", "\\\\Vivaldi\\\\", "\\\\uCozMedia\\\\", "\\\\CocCoc\\\\", "\\\\Tencent\\\\", "\\\\Foxmail\\\\", "\\\\Claws-mail\\\\", "\\\\Pocomail\\\\", "\\\\Trillian\\\\") AND tgt.file.path matches:anycase ("User Data$", "accounts", "Login Data$", "profiles.ini$")

-- Potentially Suspicious Outbound FTP Connection to None-LAN IP Addresses
| filter( event.type == "IP Connect" AND event.network.direction == "OUTGOING" AND event.network.protocolName == "ftp" AND !net_private( dst.ip.address ) AND !net_ipsubnet( dst.ip.address, "0.0.0.0/8" ) AND !net_ipsubnet( dst.ip.address, "127.0.0.0/8" ) AND !net_ipsubnet( dst.ip.address, "169.254.0.0/16" ) )
| group result = count() by Host = endpoint.name, User = src.process.user, SrcIP = src.ip.address, DstIP = dst.ip.address

3.0 Response Suggestion

For prompt response actions, the following countermeasures are advised:

• Whitelist SSH and FTP type of traffic to only allow connection to known external IP addresses and block the rest.

• Push password changes to affected users and ensure the new password has no relation with the previously compromised one. Follow a strong password policy and keep in mind the scope of the harvest - there could be a LOT to change.

• Optionally rebuild the compromised system even though no persistence techniques were discovered. It is always reassuring to perform a rebuild and know the machine is clean.

Community Channels

Discord: https://discord.gg/WMFFTDPuEB

Twitter: https://twitter.com/unauthorize403

403-ThreatHunt Project: https://github.com/unauthorized-403/403-ThreatHunt