We continue our series of articles devoted to malware analysis. IN In part, we told how Ilya Pomerantsev, a malware analysis specialist at CERT Group-IB, conducted a detailed analysis of a file received by mail from one of the European companies and discovered spyware there agent Tesla. In this article, Ilya provides the results of a step-by-step analysis of the main module agent Tesla.
Agent Tesla is a modular malware-as-a-service spyware package disguised as a legitimate keylogger product. Agent Tesla is capable of extracting and transmitting user credentials from browsers, email clients and FTP clients to the server to attackers, registering clipboard data, and capturing the device screen. At the time of the analysis, the official website of the developers was unavailable.
Configuration file
The table below lists which functionality applies to the sample you are using:
| Description | Value |
| KeyLogger usage flag | true |
| ScreenLogger usage flag | false |
| KeyLogger log sending interval in minutes | 20 |
| ScreenLogger log sending interval in minutes | 20 |
| Backspace key handling flag. False – logging only. True – erases the previous key | false |
| CNC type. Options: smtp, webpanel, ftp | smtp |
| Thread activation flag for terminating processes from the list “%filter_list%” | false |
| UAC disable flag | false |
| Task manager disable flag | false |
| CMD disable flag | false |
| Run window disable flag | false |
| Registry Viewer Disable Flag | false |
| Disable system restore points flag | true |
| Control panel disable flag | false |
| MSCONFIG disable flag | false |
| Flag to disable the context menu in Explorer | false |
| Pin flag | false |
| Path for copying the main module when pinning it to the system | %startupfolder% %insfolder%%insname% |
| Flag for setting the “System” and “Hidden” attributes for the main module assigned to the system | false |
| Flag to perform a restart when pinned to the system | false |
| Flag for moving the main module to a temporary folder | false |
| UAC bypass flag | false |
| Date and time format for logging | yyyy-MM-dd HH:mm:ss |
| Flag for using a program filter for KeyLogger | true |
| Type of program filtering. 1 – the program name is searched in the window titles 2 – the program name is looked for in the window process name |
1 |
| Program filter | "facebook" "twitter" "gmail" "instagram" "movie" "skype" "porn" "hack" "whatsapp" "discord" |
Attaching the main module to the system
If the corresponding flag is set, the main module is copied to the path specified in the config as the path to be assigned to the system.
Depending on the value from the config, the file is given the attributes “Hidden” and “System”.
Autorun is provided by two registry branches:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%insregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %insregname%
Since the bootloader injects into the process RegAsm, setting the persistent flag for the main module leads to quite interesting consequences. Instead of copying itself, the malware attached the original file to the system RegAsm.exe, during which the injection was carried out.
Interaction with C&C
Regardless of the method used, network communication begins with obtaining the external IP of the victim using the resource [.]amazonaws[.]com/.
The following describes the network interaction methods presented in the software.
webpanel
The interaction takes place via the HTTP protocol. The malware executes a POST request with the following headers:
- User-Agent: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Connection: Keep-Alive
- Content-Type: application / x-www-form-urlencoded
The server address is specified by the value %PostURL%. The encrypted message is sent in the parameter «P». The encryption mechanism is described in section "Encryption Algorithms" (Method 2).
The transmitted message looks like this:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Parameter type indicates the message type:
hwid — an MD5 hash is recorded from the values of the motherboard serial number and processor ID. Most likely used as a User ID.
team — serves to transmit the current time and date.
pcname - defined as <Username>/<Computer name>.
logdata — log data.
When transmitting passwords, the message looks like:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
The following are descriptions of the stolen data in the format nclient[]={0}nlink[]={1}nusername[]={2}npassword[]={3}.
smtp
The interaction takes place via the SMTP protocol. The transmitted letter is in HTML format. Parameter BODY has the form:
The header of the letter has the general form: <USER NAME>/<COMPUTER NAME> <CONTENT TYPE>. The contents of the letter, as well as its attachments, are not encrypted.
The interaction takes place via the FTP protocol. A file with the name is transferred to the specified server <CONTENT TYPE>_<USER NAME>-<COMPUTER NAME>_<DATE AND TIME>.html. The contents of the file are not encrypted.
Encryption algorithms
This case uses the following encryption methods:
The 1 method
This method is used to encrypt strings in the main module. The algorithm used for encryption is BEA.
The input is a six-digit decimal number. The following transformation is performed on it:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
The resulting value is the index for the embedded data array.
Each array element is a sequence DWORD. When merging DWORD an array of bytes is obtained: the first 32 bytes are the encryption key, followed by 16 bytes of the initialization vector, and the remaining bytes are the encrypted data.
The 2 method
Algorithm used 3DES in mode ECB with padding in whole bytes (PKCS7).
The key is specified by the parameter %urlkey%, however, encryption uses its MD5 hash.
Malicious functionality
The sample under study uses the following programs to implement its malicious function:
key logger
If there is a corresponding malware flag using the WinAPI function SetWindowsHookEx assigns its own handler for keypress events on the keyboard. The handler function begins by getting the title of the active window.
If the application filtering flag is set, filtering is performed depending on the specified type:
- the program name is looked for in the window titles
- the program name is looked up in the window process name
Next, a record is added to the log with information about the active window in the format:
Then information about the key pressed is recorded:
| Key | Record |
| Backspace | Depending on the Backspace key processing flag: False – {BACK} True – erases the previous key |
| CAPSLOCK | {CAPSLOCK} |
| ESC | {ESC} |
| PageUp | {PageUp} |
| Down | ↓ |
| DELETE | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| TAB | {TAB} |
| < | < |
| > | > |
| Space | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + TAB | {ALT+TAB} |
| END | {END} |
| F4 | {F4} |
| F2 | {F2} |
| CTRL | {CTRL} |
| F6 | {F6} |
| Right | → |
| Up | ↑ |
| F1 | {F1} |
| Left | ← |
| PageDown | {PageDown} |
| Insertion | {Insert} |
| Win | {Win} |
| NumLock | {NumLock} |
| F11 | {F11} |
| F3 | {F3} |
| HOME | {HOME} |
| ENTER | {ENTER} |
| ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| Other key | The character is in upper or lower case depending on the positions of the CapsLock and Shift keys |
At a specified frequency, the collected log is sent to the server. If the transfer is unsuccessful, the log is saved to a file %TEMP%log.tmp in format:
When the timer fires, the file will be transferred to the server.
ScreenLogger
At a specified frequency, the malware creates a screenshot in the format Jpeg with the value of Quality equal to 50 and saves it to a file %APPDATA %<Random sequence of 10 characters>.jpg. After transfer, the file is deleted.
clipboardlogger
If the appropriate flag is set, replacements are made in the intercepted text according to the table below.
After this, the text is inserted into the log:
Password Stealer
The malware can download passwords from the following applications:
| Browsers | Email clients | FTP clients |
| Chrome | Outlook | fileZilla |
| Firefox | Thunderbird | WS_FTP |
| IE/Edge | Foxmail | WinSCP |
| Safari | Opera Mail | CoreFTP |
| Opera Browser | IncrediMail | FTP Navigator |
| Yandex | Pocomail | FlashFXP |
| Comfortable | eudora | SmartFTP |
| ChromePlus | TheBat | FTPCommander |
| Chromium | Postbox | |
| Torch | ClawsMail | |
| 7Star | ||
| Friend | ||
| BraveSoftware | Jabber clients | VPN clients |
| CentBrowser | Psi/Psi+ | Open VPN |
| Chedot | ||
| CocCoc | ||
| Elements Browser | Download Managers | |
| Epic Privacy Browser | Internet Download Manager | |
| Kometa | JDownloader | |
| orbitum | ||
| Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Flock browser | ||
| UC Browser | ||
| blackhawk | ||
| Cyber Fox | ||
| K-Meleon | ||
| ice cat | ||
| Icedragon | ||
| PaleMoon | ||
| waterfox | ||
| Falcon Browser |
Opposition to dynamic analysis
- Using the function Sleep. Allows you to bypass some sandboxes by timeout
- Destroying a thread Zone.Identifier. Allows you to hide the fact of downloading a file from the Internet
- In the parameter %filter_list% specifies a list of processes that the malware will terminate at intervals of one second
- Disconnecting UAC
- Disabling the task manager
- Disconnecting DCM
- Disabling a window "Run"
- Disabling the Control Panel
- Disabling a tool RegEdit
- Disabling system restore points
- Disable the context menu in Explorer
- Disconnecting MSCONFIG
- Bypass UAC:
Inactive features of the main module
During the analysis of the main module, functions were identified that were responsible for spreading across the network and tracking the position of the mouse.
Worm
Events for connecting removable media are monitored in a separate thread. When connected, the malware with the name is copied to the root of the file system scr.exe, after which it searches for files with the extension lnk. Everyone's team lnk changes to cmd.exe /c start scr.exe&start <original command>& exit.
Each directory at the root of the media is given an attribute "Hidden" and a file is created with the extension lnk with the name of the hidden directory and the command cmd.exe /c start scr.exe&explorer /root,"%CD%<DIRECTORY NAME>" & exit.
MouseTracker
The method for performing interception is similar to that used for the keyboard. This functionality is still under development.
File activity
| Path | Description |
| %Temp%temp.tmp | Contains a counter for UAC bypass attempts |
| %startupfolder%%insfolder%%insname% | Path to be assigned to the HPE system |
| %Temp%tmpG{Current time in milliseconds}.tmp | Path for backup of the main module |
| %Temp%log.tmp | Log file |
| %AppData%{An arbitrary sequence of 10 characters}.jpeg | Screenshots |
| C:UsersPublic{An arbitrary sequence of 10 characters}.vbs | Path to a vbs file that the bootloader can use to attach to the system |
| %Temp%{Custom folder name}{File name} | Path used by the bootloader to attach itself to the system |
Attacker Profile
Thanks to the hardcoded authentication data, we were able to gain access to the command center.
This allowed us to identify the final email of the attackers:
junaid[.]in***@gmail[.]com.
The domain name of the command center is registered to the mail sg***@gmail[.]com.
Conclusion
During a detailed analysis of the malware used in the attack, we were able to establish its functionality and obtain the most complete list of indicators of compromise relevant to this case. Understanding the mechanisms of network interaction between malware made it possible to give recommendations for adjusting the operation of information security tools, as well as write stable IDS rules.
Main danger agent Tesla like DataStealer in that it does not need to commit to the system or wait for a control command to perform its tasks. Once on the machine, it immediately begins collecting private information and transfers it to CnC. This aggressive behavior is in some ways similar to the behavior of ransomware, with the only difference being that the latter do not even require a network connection. If you encounter this family, after cleaning the infected system from the malware itself, you should definitely change all passwords that could, at least theoretically, be saved in one of the applications listed above.
Looking ahead, let's say that attackers sending agent Tesla, the initial boot loader is changed very often. This allows you to remain unnoticed by static scanners and heuristic analyzers at the time of attack. And the tendency of this family to immediately start their activities makes system monitors useless. The best way to combat AgentTesla is preliminary analysis in a sandbox.
In the third article of this series we will look at other bootloaders used agent Tesla, and also study the process of their semi-automatic unpacking. Do not miss!
Hash
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
DC
| URL |
| sina-c0m[.]icu |
| smtp[.]sina-c0m[.]icu |
RegKey
| registry |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Script name} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%insregname% |
| HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%insregname% |
Mutex
There are no indicators.
Files
| File activity |
| %Temp%temp.tmp |
| %startupfolder%%insfolder%%insname% |
| %Temp%tmpG{Current time in milliseconds}.tmp |
| %Temp%log.tmp |
| %AppData%{An arbitrary sequence of 10 characters}.jpeg |
| C:UsersPublic{An arbitrary sequence of 10 characters}.vbs |
| %Temp%{Custom folder name}{File name} |
Samples Info
| Name | Unknown |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| Type | PE (.NET) |
| Size | 327680 |
| original name | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| date stamp | 01.07.2019 |
| compiler | VB.NET |
| Name | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| Type | PE (.NET DLL) |
| Size | 16896 |
| original name | IELibrary.dll |
| date stamp | 11.10.2016 |
| compiler | Microsoft Linker(48.0*) |
Source: habr.com