The primary function (other than persistence) of the payload is to perform the process hollowing and then place another decrypted executable file-sourced from a separate resource (called “7gQsJ0ugxz.resources”) within the payload file-onto the hollowed process and execute it. This is a common protection strategy to increase the malware's chance of survival on the victim's device. Fortunately, I managed to have it de-obfuscated using several analysis tools.Īs with most malware, the developers run the malware’s core module in a separate process. Agent Tesla Payload Module & Process Hollowing Finally, the payload file’s “EntryPoint” function is invoked from the Loader module (“Cassa”). It then goes through decryption and gzip decompression to restore the payload file, which is loaded as an executable module by calling the () method. Bitmap.GetPixel() and Color.FromArgb() are the two APIs being called to read the payload from the resource. Phishing EmailĪs you may have noticed, the resource is disguised as a Bitmap resource and is mixed up with the payload. The number of observed vulnerable devices is around 1300 per day. We are observing and mitigating 3000 attacks per day, at the IPS level. In this analysis, you will learn about the contents of this attack, such as how the phishing email starts the campaign, how the CVE-2017-11882/CVE-2018-0802 vulnerability (and not the VBS macro) is exploited to download and execute the Agent Tesla file on the victim’s device, as well as how Agent Tesla collects the sensitive data from the victim’s device, such as the credentials, key loggings, and screenshots of the victim’s screen.ĭespite fixes for CVE-2017-11882/ CVE-2018-0802 being released by Microsoft in November, 2017 and January, 2018, this vulnerability remains popular amongst threat actors, suggesting there are still unpatched devices in the wild, even after over five years. I performed an in-depth analysis of this campaign, from the initial phishing email to the actions of Agent Tesla installed on the victim’s machine to the collecting of sensitive information from the affected device. It is often used for Malware-as-a-Service (MaaS). Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. Impact: Collects sensitive information from a victim’s computer
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |