SECURITY

Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis

Agent Tesla is a remote access trojan (RAT) written for the .NET framework that has knowingly been in operation since 2014. Threat actors behind this malware have leveraged many different methods to deliver their payload over time including macro enabled Word documents, Microsoft Office vulnerabilities, OLE objects and most recently, compiled HTML help files. Agent Tesla has been in the top 10 most submitted samples in known open malware source repositories in cyber security communities like Malware Bazaar and Any.run. It is a full-featured RAT with multiple ways to exfiltrate organization data through keylogging, screen captures, credential stealing and much more. 

In this blog post, the Splunk Threat Research Team (STRT) describes the different tactics, techniques and procedures mapped to the ATT&CK framework leveraged by this remote access trojan. Additionally, we will highlight the detection analytics we released that can help cyber defenders in identifying signs of compromise.

Analysis

Identification of Samples

For this analysis, the STRT started the journey with a sample uploaded by JAMESWT_MHT on August 31st to Malware Bazaar. This sample led us to the “ftp-boloni-ma” tag that compiles several samples of a campaign leveraging the Agent Tesla malware. Specifically, this campaign used a malicious compiled HTML (.CHM) file as a delivery method to drop and execute its first and second stages and load the remote access trojan. 

High level flow of process execution for this sample is shown on Figure 1:

Figure 1.1 shows the list of hashes that have this tag.

Security teams that would like to understand how the execution of compiled HTML files looks like against their prevention or detection controls, we recommend having a look at the AtomicTestHarness for CHM and the Atomic Red Team technique T1218.001 built by the Red Canary team.

T1566.001 - Spear Phishing Attachment

This Agent Tesla variant uses a compiled HTML file (.chm) to conceal its malicious code and gain an initial foothold on the victim endpoint. The file has an embedded and obfuscated JavaScript script that invokes PowerShell to download a second stage.

Figure 1.1 shows the .chm file loading upon execution.

Figure 1.2 shows the obfuscated and deobfuscated versions of the embedded Javascript code. Once executed, it will invoke PowerShell.exe to download extra content from the Internet using the System.Net WebClient class and the DownloadString method.

The Loader

T1059.001 - Command and Scripting Interpreter: PowerShell

The downloaded file, disguised as a text .txt file, is in reality a PowerShell script shown on Figure 2. This obfuscated second stage script is the one responsible for loading the actual Agent Tesla malware in memory. 

The variable named $TzbW contains a string that when deobfuscated, implements the tMCfkSD function also shown on Figure 2. This function will in turn deobfuscate and decompress the array of bytes stored in the variable named $zmOo. This deobfuscated and decompressed version is the actual .NET assembly Agent Tesla malware that will be executed in memory using PowerShell reflection.

Figure 2 shows the main parts of this second stage component and the gzip decompression function.

Figure 2.1 shows a screenshot of a simple python script we wrote to deobfuscate the PowerShell function Agent Tesla’s second stage uses to decompress and deobfuscate the binary stored in the $zmOo array byte variable. The python script can be found on Github agent_function_loader_deobfus.py

This loader will deobfuscate and load the Agent Tesla malware in memory stream using .NET Reflection. This part of its execution can be considered as fileless malware since it doesn't drop the AgentTesla malware on the disk but executes it in memory stream.

Figure 2.2 shows the python script we wrote to extract the actual AgentTesla malware binary. This python script will drop the Agent Tesla malware as agent_unpack.bin in the current working directory. The script can be found on Github agent_function_loader_deobfus2.py.

Agent Tesla Analysis

Packer/ Obfuscator

The Agent Tesla sample extracted in the second stage component is a .NET compiled binary obfuscated with the opensource Obfuscar .NET obfuscator. Using the DIE tool we can identify the obfuscation method and the compilation type of this file in Figure 3. Adversaries will pack or obfuscate their payloads in hope that it evades critical controls like mail gateways, sandboxes and anti-virus software.

Discovery - TA0007

T1033 - System Owner/User Discovery

On every check in to the command and control server (via the FTP, HTTP or SMTP protocols), this Agent Tesla sample parses and submites the user name, computer name, operating system version and total physical memory of the compromised endpoint.

Figure 4

Execution - TA0002

T1204.002 - Malicious File

This particular Agent Tesla sample includes the ability to download a remote file from one of its C2 servers and save it to the hardcoded path “%temp%\LUU”. The final step of the function will also execute the downloaded file. Unfortunately the URL was inaccessible as of writing.

Figure 4 shows the code snippet of how it captures the system information of the compromised machine as part of its C2 communication.

Persistence - TA0003

T1547.001 - Registry Run / Startup Folder

If enabled, Agent Tesla has two built in persistence mechanisms to be able to load itself upon boot. It is either by dropping a copy of itself in the %startup folder% or by adding registry run keys. 

Figure 5.1 and Figure 5.2 shows a short code snippet how it can create Registry Run Keys and possible entry on startup folder for its persistence(T1547.001).

Figure 5.1

Figure 5.2

Credential Access - TA0006

Agent Tesla implements several techniques to collect sensitive information on the compromised endpoint.

T1555.003 - Credentials from Web Browsers

The first technique is parsing credentials or sensitive browser data.  Agent Tesla includes a list of targeted browsers to parse the login credentials, browser cookies, browser profiles and grab browser .sqlite database files. Figure 6 shows a short code snippet of the function renamed as “mw_parsing_browser_db” that contains the list of browsers that Agent Tesla attempts to parse or copy the “cookies.sqlite” database file.

Below is a complete table list of targeted browsers.

Targeted Browsers (Browser Name, Browsers Target Directory)

  • "Firefox", "%APPDATA%\\Mozilla\\Firefox\\"
  • "IceCat", "%APPDATA%\\Mozilla\\icecat\\"
  • "PaleMoon", "%APPDATA%\\Moonchild Productions\\Pale Moon\\"
  • "SeaMonkey", "%APPDATA%\\Mozilla\\SeaMonkey\\"
  • "Flock", "%APPDATA%\\Flock\\Browser\\"
  • "K-Meleon", "%APPDATA%\\K-Meleon\\"
  • "Postbox", "%APPDATA%\\Postbox\\"
  • "Thunderbird", "%APPDATA%\\Thunderbird\\"
  • "IceDragon", "%APPDATA%\\Comodo\\IceDragon\\"
  • "WaterFox", "%APPDATA%\\Waterfox\\"
  • "BlackHawk", "%APPDATA%\\NETGATE Technologies\\BlackHawk\\"
  • "CyberFox", "%APPDATA%\\8pecxstudios\\Cyberfox\\"
  • "Opera Browser", "%APPDATA%\\Opera Software\\Opera Stable"
  • "Yandex Browser", "%APPDATA%\\Yandex\\YandexBrowser\\User Data"
  • "Iridium Browser", "%APPDATA%\\Iridium\\User Data"
  • "Chromium", "%APPDATA%\\Chromium\\User Data"
  • "7Star", "%APPDATA%\\7Star\\7Star\\User Data"
  • "Torch Browser", "%APPDATA%\\Torch\\User Data"
  • "Cool Novo", "%APPDATA%\\MapleStudio\\ChromePlus\\User Data"
  • "Kometa", "%APPDATA%\\Kometa\\User Data"
  • "Amigo", "%APPDATA%\\Amigo\\User Data"
  • "Brave", "%APPDATA%\\BraveSoftware\\Brave-Browser\\User Data"
  • "CentBrowser", "%APPDATA%\\CentBrowser\\User Data"
  • "Chedot", "%APPDATA%\\Chedot\\User Data"
  • "Orbitum", "%APPDATA%\\Orbitum\\User Data"
  • "Sputnik", "%APPDATA%\\Sputnik\\Sputnik\\User Data"
  • "Comodo Dragon", "%APPDATA%\\Comodo\\Dragon\\User Data"
  • "Vivaldi", "%APPDATA%\\Vivaldi\\User Data"
  • "Citrio", "%APPDATA%\\CatalinaGroup\\Citrio\\User Data"
  • "360 Browser", "%APPDATA%\\360Chrome\\Chrome\\User Data"
  • "Uran", "%APPDATA%\\uCozMedia\\Uran\\User Data"
  • "Liebao Browser", "%APPDATA%\\liebao\\User Data"
  • "Elements Browser", "%APPDATA%\\Elements Browser\\User Data"
  • "Epic Privacy", "%APPDATA%\\Epic Privacy Browser\\User Data"
  • "Coccoc", "%APPDATA%\\CocCoc\\Browser\\User Data"
  • "Sleipnir 6", "%APPDATA%\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer"
  • "Opera", "%APPDATA%\\Opera Software\\Opera Stable"
  • "Comodo Dragon", "%APPDATA%\\"Comodo\\Dragon\\User Data"
  • "Chrome", "%APPDATA%\\Google\\Chrome\\User Data"
  • "Yandex", "%APPDATA%\\"Yandex\\YandexBrowser\\User Data"
  • "SRWare Iron", "%APPDATA%\\"Chromium\\User Data"
  • "Torch Browser", "%APPDATA%\\"Torch\\User Data"
  • "Brave Browser", "%APPDATA%\\"BraveSoftware\\Brave-Browser\\User Data"
  • "CoolNovo", "%APPDATA%\\"MapleStudio\\ChromePlus\\User Data"
  • "7Star", "%APPDATA%\\"7Star\\7Star\\User Data"
  • "Epic Privacy Browser", "%APPDATA%\\"Epic Privacy Browser\\User Data"
  • "Amigo", "%APPDATA%\\"Amigo\\User Data"
  • "CentBrowser", "%APPDATA%\\"CentBrowser\\User Data"
  • "CocCoc", "%APPDATA%\\"CocCoc\\Browser\\User Data"
  • "Chedot", "%APPDATA%\\"Chedot\\User Data"
  • "Elements Browser", "%APPDATA%\\"Elements Browser\\User Data"
  • "Kometa", "%APPDATA%\\"Kometa\\User Data"
  • "Citrio", "%APPDATA%\\"CatalinaGroup\\Citrio\\User Data"
  • "Coowon", "%APPDATA%\\"Coowon\\Coowon\\User Data"
  • "Liebao Browser", "%APPDATA%\\"liebao\\User Data"
  • "QIP Surf", "%APPDATA%\\"QIP Surf\\User Data"
  • "QQ Browser", "%APPDATA%\\"Tencent\\QQBrowser\\User Data"
  • "UC Browser", "%APPDATA%\\"UCBrowser\\"
  • "Orbitum", "%APPDATA%\\"Orbitum\\User Data"
  • "Sputnik", "%APPDATA%\\"Sputnik\\Sputnik\\User Data"
  • "uCozMedia", "%APPDATA%\\"uCozMedia\\Uran\\User Data"
  • "Vivaldi", "%APPDATA%\\"Vivaldi\\User Data"
  • "QIP Surf", "%APPDATA%\\QIP Surf\\User Data"
  • "Coowon", "%APPDATA%\\Coowon\\Coowon\\User Data"

T1555.005 - Password Managers

Aside from stealing browser secrets, it also attempts to steal passwords from commonly used applications like OpenVpn, FileZilla and Mailbird. It accomplishes this by reading registry entries, decrypting/decoding or parsing local databases or by reading configuration files. The table below is the list of the targeted applications that are related to this data collection.

 

OPEN VPN
FLASHFXP
WINSCP
NORDVPN
IE EDGE
PALE MOON
FTP CMDER
ICECAT
INCREDIMAIL
PIA 
CYBERFOX
POC MAIL
POSTBOX
OUTLOOK
FTP GETTER
RimArts
MAILBIRD
FLOCK BROWSER
OPERA
QQBROWSER
WS_FTP
MS CREDENTIALS
ManagerMULTI-VNC
THUNDERBIRD
UC BROWSERS
MYSQL WORKBENCH
FALKON
APPLE KEYCHAIN
WATERFOX
JDOWNLOADER DB
SMARTFTP
TRILLIAN
COREFTPCLAWS MAIL
FILEZILLA
AEROFOX
BLACKHAWK
EM CLIENT
SEA MONKEY
ICE DRAGON
PSI
DOWNLOADMGR
K-MELEON
FTP NAVI
UBATMAILBIRD

T1056.001 - KeyLogging

This Agent Tesla sample is also capable of installing a Keylogger on the compromised host. It uses the SetWindowsHookEx Windows API to install a hook procedure that monitors low-level keyboard input events. Figure 7 shows the code snippet where it setup the windows hook procedure for keyboard events.

Figure 7

Command And Control - TA0011

T1090.003 - TOR Proxy

Agent Tesla also uses TOR proxy for its HTTP requests. It tries to download a TOR application on a specific TOR website. Figure 8 shows its function that downloads the TOR browser that will be saved as “tor.zip” file in the%appdata% folder.

Figure 8

Collection - TA0009

T1113 - Screen Capture

Figure 9 shows the code snippet of how Agent Tesla software captures the desktop screenshot of the compromised machine and it will be saved in the memory stream and later sent to its C2 server.

Figure 9

Exfiltration - TA0010

T1041 - Exfiltration Over C2 Channel

During analysis of this Agent Tesla sample it was identified to have 3 ways to exfiltrate stolen sensitive information of the compromised host. The exfiltrated data may be either sent via FTP, SMTP and HTTP command and control server. Figure 10 shows the code snippet on how the agent will set up each method to exfiltrate data.

The remote C2 server was down during the analysis of this sample. STRT experimented with its SMTP communication to be able to see how the exfiltrated data looks like on the attacker side. We used a fake SMTP server by rnwood (smtp4dev) to forward all the exfiltrated data of this sample.

Attacker Perspective

Data Exfiltration

Figure 11 shows the email sent by the Agent Tesla to the fake SMTP server containing a .zip file attachment with the filename format “CO_<username>/<ComputerName><DateTime>.zip”. 

This .zip file contains the collected browser data, which in our case is the cookie.sqlite file.  

In addition, it includes the basic system information which is the UserName, ComputerName, OSFullName, CPU and RAM.

Figure 11

Figure 12 shows the email sent by the Agent Tesla malware related to the desktop screenshots of the compromised machine. We can see that it has same format email body  that contain system information, except that the format of the desktop screenshot .jpeg file is “SC_<username>/<ComputerName><DateTime>.jpeg”

Figure 12

Lastly Figure 13.1 (notepad++) and 13.2 (firefox) shows the email sent by this sample during our testing related to its keylogging feature. This malware checks if the log.tmp (keylog file) in %temp% exists; if not, it will directly send the keystroke that keylogs in its C2, in this case via SMTP.

Below shows the couple of keys typed by the user and the process related to that keystroke.

Figure 13.1

Figure 13.2

For this type of exfiltration the subject of the email has a format of “KL_<username>/<ComputerName>”.

Detections

Below is the table list for detections that the STRT developed to identify possible Agent Tesla behavior and malicious .chm behavior. 

Type 

Name

Technique ID

Tactic

Description

TTP

Detect Html Help Spawn Child Process

T1218.001

Defense Evasion

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process.

Anomaly

Excessive Usage Of Taskkill

T1562.001

Defense Evasion

This analytic identifies excessive usage of taskkill.exe application.

TTP

Executables Or Script Creation In Suspicious Path

T1036

Defense Evasion

This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows.

Anomaly

Non Chrome Process Accessing Chrome Default Dir

T1555.003

Credential Access

This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder.

Anomaly

Non Firefox Process Access Firefox Profile Dir

T1555.003

Credential Access

This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder.

TTP

Office Application Drop Executable

T1566.001

Initial Access

This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System.

TTP

Office Application Spawn Rundll32 Process

T1566.001

Initial Access

This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code.

TTP

Office Document Executing Macro Code

T1566.001

Initial Access

this detection was designed to identifies suspicious office documents

  that using macro code.

Hunting

Powershell Connect To Internet With Hidden Window

T1059

Execution

The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint.

TTP

Scheduled Task Deleted Or Created Via Cmd

T1053.005

Execution, Persistence, Privilege Escalation

The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line.

TTP

Suspicious Process File Path

T1543

Execution, Persistence, Privilege Escalation

The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software.

TTP

Detect Html Help Spawn Child Process

T1218.001

Defense Evasion

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process.

TTP

Registry Keys Used For Persistence (mod)

T1546.012

Persistence, Privilege Escalation

This search looks for modifications to registry keys that can be used to elevate privileges.

Hunting

Windows Iso Lnk File Creation (mod)

T1566.001

Initial Access

The following analytic identifies the use of a delivered ISO file that has been mounted and the aforementioned lnk or file opened within it.

Hunting

Windows Phishing Recent Iso Exec Registry (mod)

T1566.001

Initial Access

The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system.

TTP

Powershell Loading Dotnet Into Memory Via Reflection (mod)

T1059.001

Execution

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution.

Hunting

Windows File Transfer Protocol In Non Common Process Path(new)

T1071.003

Command and Control

The following analytic identifies a possible windows application having a FTP connection  in a non common installation path in windows operating system.

Anomaly

Windows Mail Protocol In Non Common Process Path (new)

T1071.003

Command and Control

The following analytic identifies a possible windows application having a SMTP connection  in a non common installation path in windows operating system.

Anomaly

Windows Multi Hop Proxy Tor Website Query (new)

T1071.003

Command and Control

The following analytic identifies a dns query to a known TOR proxy website.

Automate with SOAR Playbooks 

All of the previously listed detections create entries in the risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The community Splunk SOAR playbooks below can also be used in conjunction with some of the previously described analytics:

Playbook

Description

Internal Host SSH Investigate

Investigate an internal *nix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity and network activity. This includes the process list, login history, cron jobs and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

Internal Host WinRM Investigate

Performs a general investigation on key aspects of a windows device using windows remote management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault.

Delete Detected Files

This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a “more” command on the file in question to extract its contents. We then run a delete on the file in question.

 

Why Should You Care?

With this article the Splunk Threat Research Team (STRT) enables security analysts, blue teamers and Splunk customers to identify the Agent Tesla tactics, techniques and procedures. By understanding its behaviors, we were able to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond against this type of threats.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras, Michael Haag, Mauricio Velazco and Lou Stella for their contributions to this post.

 

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content