Introduction
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects.
In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques.
Key Takeaways
Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882.
Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts.
Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.
Microsoft Excel Infection Sequence
Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.
Figure 1: Spam email example
Figure 2: Spam email example
To make these spam emails seem legitimate, threat actors use words like “invoices” and “order” in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.
Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file.
Figure 3: Malicious communication and additional file download
Figure 4 shows the actual obfuscated VBS file.
Figure 4: Obfuscated VBS file
The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.
Figure 5: Malicious JPG file (steganography image)
The JPG file contains a Base64-encoded DLL, as shown in Figure 6.
Figure 6: Base64-encoded DLL inside an image
Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.
Figure 7: Malicious command that loads and runs the DLL file
After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.
Figure 8: Process tree and thread injection in RegAsm.exe
From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.
Figure 9: Thread injected into RegAsm.exe
Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.
Figure 10: Browser data theft
In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.
Figure 11: Agent Tesla steals data from Outlook
As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.
Figure 12: Keyboard and clipboard hooks
In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs.
Figure 13: Window hooking
From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.
Figure 14: Exfiltrate to Telegram
Conclusion
Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community.
Zscaler Coverage
Win32.Backdoor.Agenttesla.LZ
XLS.Exploit.CVE-2017-11882
DOC.Exploit.CVE-2017-11882
Indicators of Compromise (IOCs)
Telegram URLs used for exfiltration
api.telegram[.]org/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs
api.telegram[.]org/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk/sendDocument
api.telegram[.]org/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE/sendDocument
Malicious URLs
79.110.48[.]52/nicko.vbs
79.110.48[.]52/nix.txt
193.42.33.51/knog.txt
Malicious Excel files
201CD0A2FC6A87D25D6AED1E975FAE71 (CVE-2017-11882)
38f6b4d5804de785b925eb46ddd86d6f (CVE-2017-11882)
C1521547DEA051BD7A007516511FB2CA (CVE-2017-11882)
dddabc8019a7184055301927239a9438 (CVE-2017-11882)
Malicious VBS files
F302ADDF3B4068888788D8EDCE8F52A0
1402E4408F123DA1E9BC3BDE078764FC
A1C2B285A7FF9DD99C70E4D750EFEA51
Malicious JPG files
8496654930be3db6cea0ba62ffe5add9
d6f8c9a88cbdd876695f4bef56972f2e
8d17b59e8bb573b12a9d0e42746f8aef
Malicious DLL files
8955B482E59894864BACE732302A9927
F5F51251DC672E1934746E0057011B1A
5630282A95AFD2A5CEEECC5ACF7FF053
Malicious executables
547b88c4aa225377d7d65e912d81fe28
87aa9fc1bf49d48234160a15515a8145
0ada110f82ce64fcfab0eb0e5d8d948e
32e9af7d07a5edcc9bf9b5c8121acc55
b551da554933c2c064f96aaa6aa9ff55
7ea06a0e6c1e5707a23364ae6984b4f3
f3f27883dc91a7c85a03342bf6fed475
7c9ad2b73748f8c745d5d49b9b4876c5
a8c8010963f35fc3253d6409c169a9f2
d6a1feb6cfa307c5031ea2dd2118d786
069bb6a37f9312ba4fea6c70b7134d39
6bdb7a11d0eaa407e7a7f34d794fb567
f11d72bc4192b2ed698cc2b0200773bf
a55302ad4bf2f050513528a2ca64ff01
01b02fc9db22a60e8df6530a2e36a73b
43ec3cc0836bd759260e8cf120b79a7b
5477e3714c953df2bb3addf3bebbda9a
be1858db74162408c29c8b8484b3cf88
38bb6b06907c6e3445aa23c8d229e542
05bc545b9b0de1ccb4254b59961ea07b
25a697d0e6c5fa06eea8ba0d3ae539da
8a081a4f6c497c60c6e72dfabfe30326
ad0f5f4994a2998f0e1ed3323884837c
092ff92d9bfa9cac81a8b892d495f42e
09f197fc8d69ec14875723f1e6e623bf
0eba69a4ad399db14a2743b4d68f13e8
19eab6a97cea19473bda3010066c5990
cb2b5646d68279aea516703df3c4c1e9
3247ad04996dd2966800153e7ea14571
92d1ece422670dbf9a3e1aef45612b5c
f25da7cd5fb33e7a0967dbcdf008bd9a
a7f2d131a2f3f61978ec17395f7b34b1
39088a9e4ad3e7a8ba4686641569dbcd
210e9a89b723b3246a7d590c9a428c83
efc3a41ecae822eba861cb88c179c80e
c01e90db99bcc939f829a181aef2c348
b18ba839dfd653b07b984330dd85b57a
a8e8d4667f96ea847d18eb7830fb1dc6
c38b8d525f48cbdf92381274059d8f0b
6e0dafacdeee6f2d9463d0052db5cce8
b6f892c73fa0f491072592d7baf0c916
bf9d9c9a95fdb861c583dc9b66bcf5ab
0043f65755a700b94a57118a672df82c
adbf1e2f49d842aac524d7ac351ca5b4
d55bdb3593664d806794d00025390081
935e75cbd0f207bfeb6d3b5d90e35685
db4bfb57c7acd8d568a06a9c3739e146
08e1955de35005b335be2e100d2d4a3c
e57882623add29cbfa8c93d011b52c44
e6c4636c331af09568a68dcf3614cfa4
be71e90f09a38adfe22d34e3dd044fad
e9d4e5b8b80dcb4fcf5af8413066434e
413af1ff38e6a4e205c6f487d042b457
f1a1542bbccea9a4e6746040d85eae1b
05d60c7be299fc0220ffcaf3b1482652
5373b6dce20bbb0218034aa9bf0c20df
1e22cd428f5baf23877a8189469ed92a
b76d8d59b53f58dd876951044e6d88b9
a29585da474f79a723894c1a56f65b85
2639c8b09f744e95ba612c89ef26e02c
bba5761789159b5a1a23566506358c15
3d8414800762efb9276a999fc477211b
f0af137175487b4d1249921ce506efe9
2123f750f5b854b439349576118d9b9d
7b6ec969d4110722b427de45ca1c0d42
6dfc461ecf4f2fe4c5f44cdeb6792226
0708c52198a49bc7ab16bce19472598a
00b28f548f14de4f53abd6651bf78b98
ea1472bad426efded678a15c9a14bf34
dadb38b97d45d7438fbd43911a71d844
d7ebf4ab7bb0ab685e3902349d637e9b
aff1e141f15d808d5d4f549ea99c1e4d
bbc7c66b301d3087cfdaa89528832895
e6926fc50f40c5c5feb676b0adcb7655
3c3580dfbc1f06636fe5696879cbdd85
b7dba4e30a73f58740d316c46645b759
7b1bc15873c39866b429d44da8640285
Agent Tesla pilfers data from the following browsers:
Edge Chromium
Postbox
Iridium Browser
Elements Browser
Citrio, CentBrowser
Epic Privacy
SeaMonkey
Vivaldi
Yandex Browser
Amigo
7Star
Kometa
IceCat
Cool Novo
Flock
Coowon
360 Browser
Brave
WaterFox
Chromium
Liebao Browser
CyberFox
PaleMoon
Thunderbird
QIP Surf
Sleipnir 6
Sputnik
IceDragon
Coccoc
K-Meleon
Comodo Dragon
Chedot
Opera Browser
BlackHawk
Firefox
Torch Browser
Uran
Orbitum
Agent Tesla tries to steal credentials from the following mail and FTP clients:
Paltalk
WinSCP
Safari for Windows
FTP Navigator
Discord
Falkon Browser
Mailbird
QQ Browser
ClawsMail
Pidgin
Eudora
FTPGetter
Becky!
eM Client
IncrediMail
JDownloader 2.0
Psi/Psi+
FoxMail
FtpCommander
Flock Browser
FileZilla
Outlook
WS_FTP
OpenVPN
Private Internet Access
IE/Edge
SmartFTP
DynDns
Opera Mail
Trillian
CoreFTP
MysqlWorkbench
PocoMail
Flash
FXP
UC Browser
NordVPN
Internet Downloader Manager
Windows Mail App
↧