Introduction
FortiSandbox seamlessly integrates with various Security Fabric platform products, offering a straightforward approach to safeguarding against breaches. Upon detecting malicious code, FortiSandbox promptly responds by assigning risk ratings and instantly sharing local intelligence with Fortinet Security Fabric, Fabric-Ready Partners, and other security solutions.
Recently, FortiSandbox detected a PDF document used to deploy Agent Tesla malware. This malware is a prominent .NET-based remote access trojan (RAT), specializes in data theft and has been active for over a decade. The PDF is distributed via phishing email. When opened, it prompts users to click a download icon that retrieves a compressed file from a remote server. Extracting the downloaded file reveals an executable disguised as another PDF, which finally executes the Agent Tesla malware. Compared to past variants, this variant of Agent Tesla employs a new technique that involves injecting its code into legitimate .NET processes to avoid detection.
FortiSandbox excels at identifying and analyzing such threats by executing malware within a controlled environment that mimics real-world user scenarios. This method allows us to observe the malware's behavior in detail and understand its attack vectors. All information in this article is based on the Job Detail report generated by FortiSandbox. A reverse engineering of the malware was also conducted to explore other capabilities and provide a deeper understanding of its operations. Through this exploration, readers will gain insight into the robust detection mechanisms of FortiSandbox and its vital role in protecting against sophisticated malware threats.
Analysis
This article demonstrates FortiSandbox's capability to detect, mitigate, and document the behavior of Agent Tesla. Figure 1 provides a chain of attack diagram, illustrating the malware's attack process. Additionally, a tree view diagram (Figure 2a and Figure 2b) details the sequence of execution, outlining the chronological order in which various actions and processes occur within the malware. This visual representation offers valuable insights into the malware's behavior, allowing to trace the flow of operations and understand how Agent Tesla operates.
Figure 1. Chain of Attack
Figure 2a. Chain of Execution provided by FortiSandbox
Figure 2b. Chain of execution provided by FortiSandbox
Additionally, suspicious indicators triggered during analysis were recorded (Figure 3), providing further context and aiding in the identification of potentially malicious activities. FortiSandbox classified the malware as High-Risk
as observed in Figure 4, emphasizing its severity.
Figure 3. FortiSandbox Indicators with Severity Ratings
Figure 4. FortiSandbox Classification of the Analyzed Malware Sample
In the initial phase of the attack, the PDF document is used as a phishing tool to lure the user into clicking on a download icon. It claims to be encrypted using Adobe Secure Cloud and requires the user to download the file. Figure 5 illustrates the phishing PDF involved in this phase.
Figure 5. PDF document asking user to download a file
After the user clicked on the download icon, the PDF document connects to a remote server and downloads a ZIP file named Picture Drawing Design_f_d_p_.zip
into the %Download%
folder, as shown in Figure 6. FortiSandbox monitors this activity, logs the URL and flags it as a malicious website. This alert informs users of the potential threat, highlighting the dangers associated with the downloaded file.
Figure 6. Malicious URL where the PDF document connects to
Upon unzipping the file, the archive reveals an executable disguised as a PDF document name Picture Drawing Design.pdf
as depicted in Figure 7. This executable is designed to run the main payload, initiating the malware's primary activities on the system. FortiSandbox evaluated the behavior associated with this file and assigned it a High-Risk rating, indicating its significant potential harm.
Figure 7. Downloaded file 'Picture Drawing Design.pdf'
Furthermore, FortiSandbox logs all the captured behaviors in the tracer.log including registry modifications and commands executed by the malware. One such modification is part of the malware's strategy to further compromise the system. Specifically, the malware targets the registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA; Data 0
And sets its value to 0. This action disables User Account Control (UAC), preventing the system from prompting for elevation when applications require administrative permissions, which reduces security. Subsequently, the malware attempts to execute the following command:
powershell.exe Add-MpPreference -ExclusionPath "c:\work\7254630693679936793.exe" -Force
This command configures Microsoft Defender Antivirus to exclude a specific file from scans. By using this command, the malware excludes itself, allowing it to bypass security measures and maintain persistence on the system.
This variant of Agent Tesla uses a new method by injecting its code into a legitimate .NET processes. While it can choose any .NET process, in our analysis, it targeted jsc.exe
, the JavaScript Compiler executable, which is a component of the Windows operating system responsible for compiling JavaScript code within .NET applications. After bypassing the security measures mentioned earlier, Agent Tesla spawns the chosen .NET process in a suspended state and replaces its memory content with its own malicious code using a method known as process hollowing. This technique conceals the malware's presence, making it significantly more challenging for traditional security tools to detect and remove. By embedding itself within a trusted process, Agent Tesla operates covertly, avoiding detection while continuing its malicious activities. Figure 8 shows FortiSandbox logging this behavior.
Figure 8. Process Injection into jsc.exe
In the final phase, Agent Tesla collects sensitive information from the victim's system including saved credentials from browsers. Additionally, it can record keystrokes, capturing every action the victim takes. Figure 9 shows the behavior logged by FortiSandbox indicating the use of a keyboard hook. The SetWindowsHookEx
function allows Agent Tesla to intercept and log keystrokes by capturing keyboard inputs, enabling it to monitor and record all user input on the infected system.
Figure 9. Using SetWindowsHookEx to record keystrokes
FortiSandbox is also capable of detecting behavior when malware attempts to access files containing browser login credentials or other sensitive data, as shown by the indicator generated in Figure 10.
Figure 10. Indicator for accessing files that store browser related login credentials or other sensitive data
Table 1 lists the web browsers, email clients, VPNs, and instant messaging applications that Agent Tesla targets to steal their saved credentials. By extracting these credentials, Agent Tesla aims to gain unauthorized access to various accounts and services used by the victim.
Web Browsers |
Email Clients |
Virtual Private Networks |
Instant Messaging |
Opera Software | Outlook | NordVPN | Trillian |
Yandex Browser | Claw Mail | OpenVPN | |
Iridium | Fox Mail | Private Internet Access | |
Chromium | Opera Mail | ||
7Star | Poco Mail | ||
Torch Browser | eM Client | ||
ChromePlus | Eudora | ||
Amigo | The Bat! | ||
Brave Browser | Becky! | ||
Cent Browser | Windows Mail App | ||
Chedot | Thunderbird | ||
Orbitum | IncrediMail | ||
Sputnik | |||
Comodo Dragon | |||
Vivaldi | |||
Critio | |||
360 Browser | |||
Uran | |||
Liebao Browser | |||
Elements Browser | |||
Epic Privacy Browser | |||
CocCoc Browser | |||
Google Chrome | |||
Microsoft Edge | |||
UC Browser | |||
QQ Browser |
Table 1. List of Targeted Applications
In-Depth Analysis
To gain a deeper understanding of the malware's final phase behavior, the need to reverse engineer was conducted to gain insights into its operation.
Agent Tesla uses WMI queries to obtain information from the compromised system, including IP address, processor details, operating system version, system name, and username, as illustrated in Figure 11.
Figure 11. Code snippet on how the malware obtain system information
The stolen data is then transmitted back to the malware author via email using the SMTP protocol. Figure 12 shows the hardcoded email address, smith[.]patton2@yandex[.]com
, embedded within the malware’s code. This setup guarantees that the compromised information is directed to the attacker’s email account, thereby facilitating the exfiltration of sensitive data from the victim’s system.
Figure 12. Code snippet highlighting the email address used to send data back to attacker
Threat Mitigation
FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via inline scanning and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats.
MITRE ATT&CK
Note: The indicators in observed activity to each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0001 – Initial Access
Technique ID |
Technique Description |
Observed Activity |
T1566.002 | The PDF document ask user into downloading a file | The initial PDF document ask the user to download the malicious payload by interacting with the PDF |
TA0004 – Privilege Escalation
Technique ID |
Technique Description |
Observed Activity |
T1055.009 | The file writes an executable to process memory | Agent Tesla injects its code into a .NET process to avoid being detected |
TA0005 – Defense Evasion
Technique ID |
Technique Description |
Observed Activity |
T1562.001 | The file tried to disable/modify settings for Windows Defender | Modify Windows Defender to exclude specified file from being scan by Windows Antivirus |
T1112 | The registry of a system was modified to aid in execution of files | Disabling User Account Control (UAC), preventing system from prompting for elevation when applications require administrative permissions |
TA0006 – Credential Access
Technique ID |
Technique Description |
Observed Activity |
T1555.003 | The file attempted to access files that store browser login credentials or other sensitive data | Agent Tesla searches for each system directory for web browsers, VPNs, email clients and instant messaging software in attempt to read sensitive data |
TA0009 – Collection
Technique ID |
Technique Description |
Observed Activity |
T1056.001 | The file attempts to obtain or collect sensitive information | Using SetWindowsHookEx function to capture user input to obtain credentials or collect information |
TA0011 – Command and Control
Technique ID |
Technique Description |
Observed Activity |
T1105 | Ingress Tool Transfer | Agent Tesla utilizes the SMTP protocol to exfiltrate stolen data back to the threat actor. In this instance, the data is sent to the email address smith[.]patton2@yandex[.]com, which is used to receive the exfiltrated information |
IOC
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
Initial PDF document |
bf0f5b1b078683e07bae11bf9600ab00 |
MD5 hash |
Installation |
Phishing PDF |
2024-07-29 |
f1d5925b4f651a7d09c7ce630c846ddc9350f9023ab46fb94490d0f99a4b9be7 |
SHA256 hash |
||||
Executable disguised as a PDF document |
c66cd9de1680610c35ede1b429cf65ce |
MD5 hash |
Installation |
Downloaded executable disguised as a PDF document |
2024-07-29 |
f85e38a26729bcbb500d25250e7fa6674aee53737dcb3347bd077f066a78aef6 |
SHA256 hash |
||||
URL |
URL |
Remote Server |
Remote server where the malicious executable is downloaded from |
2024-07-29 |
|
C2 Server |
smith[.]patton2@yandex[.]com |
Email address |
Remote Server |
Emailing address where the attack sends the stolen data |
2024-07-29 |
This variant of Agent Tesla is detected by the FortiGuard Antivirus as: MSIL/GenKryptik.GZOT!tr https://www.fortiguard.com/encyclopedia/virus/10185665
And MSIL/GenKryptik.GZQO!tr