FortiSandbox
FortiSandbox provides a solution to protect against advanced threats and ransomware for companies who don’t want to implement and maintain a sandbox environment on their own.
KByteS
Staff
Staff
Article Id 331764

Introduction

 

FortiSandbox seamlessly integrates with various Security Fabric platform products, offering a straightforward approach to safeguarding against breaches. Upon detecting malicious code, FortiSandbox promptly responds by assigning risk ratings and instantly sharing local intelligence with Fortinet Security Fabric, Fabric-Ready Partners, and other security solutions.

 

Recently, FortiSandbox detected a PDF document used to deploy Agent Tesla malware. This malware is a prominent .NET-based remote access trojan (RAT), specializes in data theft and has been active for over a decade. The PDF is distributed via phishing email. When opened, it prompts users to click a download icon that retrieves a compressed file from a remote server. Extracting the downloaded file reveals an executable disguised as another PDF, which finally executes the Agent Tesla malware. Compared to past variants, this variant of Agent Tesla employs a new technique that involves injecting its code into legitimate .NET processes to avoid detection.

 

FortiSandbox excels at identifying and analyzing such threats by executing malware within a controlled environment that mimics real-world user scenarios. This method allows us to observe the malware's behavior in detail and understand its attack vectors. All information in this article is based on the Job Detail report generated by FortiSandbox. A reverse engineering of the malware was also conducted to explore other capabilities and provide a deeper understanding of its operations. Through this exploration, readers will gain insight into the robust detection mechanisms of FortiSandbox and its vital role in protecting against sophisticated malware threats.

 

 

Analysis

 

This article demonstrates FortiSandbox's capability to detect, mitigate, and document the behavior of Agent Tesla. Figure 1 provides a chain of attack diagram, illustrating the malware's attack process. Additionally, a tree view diagram (Figure 2a and Figure 2b) details the sequence of execution, outlining the chronological order in which various actions and processes occur within the malware. This visual representation offers valuable insights into the malware's behavior, allowing to trace the flow of operations and understand how Agent Tesla operates.

 

 

 

 

chainofattack.drawio.png

 

 

Figure 1. Chain of Attack

 

 

 

 

treediagram1.JPG

 

 

Figure 2a. Chain of Execution provided by FortiSandbox

 

 

 

 

treediagram2.JPG

 

 

 

Figure 2b. Chain of execution provided by FortiSandbox

 

 

 

Additionally, suspicious indicators triggered during analysis were recorded (Figure 3), providing further context and aiding in the identification of potentially malicious activities. FortiSandbox classified the malware as High-Risk as observed in Figure 4, emphasizing its severity.

 

 

 

indicators.PNG

 

Figure 3. FortiSandbox Indicators with Severity Ratings

 

 

 

 

highrisk.PNG

 

 

Figure 4. FortiSandbox Classification of the Analyzed Malware Sample

 

 

In the initial phase of the attack, the PDF document is used as a phishing tool to lure the user into clicking on a download icon. It claims to be encrypted using Adobe Secure Cloud and requires the user to download the file. Figure 5 illustrates the phishing PDF involved in this phase.

 

pdf.JPG

 

 

 Figure 5. PDF document asking user to download a file

 

 

 

After the user clicked on the download icon, the PDF document connects to a remote server and downloads a ZIP file named Picture Drawing Design_f_d_p_.zip into the %Download% folder, as shown in Figure 6. FortiSandbox monitors this activity, logs the URL and flags it as a malicious website. This alert informs users of the potential threat, highlighting the dangers associated with the downloaded file.

 

 

 

url.PNG

 

Figure 6. Malicious URL where the PDF document connects to

 

 

Upon unzipping the file, the archive reveals an executable disguised as a PDF document name Picture Drawing Design.pdf as depicted in Figure 7. This executable is designed to run the main payload, initiating the malware's primary activities on the system. FortiSandbox evaluated the behavior associated with this file and assigned it a High-Risk rating, indicating its significant potential harm.

 

 

 

unzip.PNG

 

 

Figure 7. Downloaded file 'Picture Drawing Design.pdf'

 

 

Furthermore, FortiSandbox logs all the captured behaviors in the tracer.log including registry modifications and commands executed by the malware. One such modification is part of the malware's strategy to further compromise the system. Specifically, the malware targets the registry key:

 

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA; Data 0

 

 

And sets its value to 0. This action disables User Account Control (UAC), preventing the system from prompting for elevation when applications require administrative permissions, which reduces security. Subsequently, the malware attempts to execute the following command:

 

 

powershell.exe Add-MpPreference -ExclusionPath "c:\work\7254630693679936793.exe" -Force

 

 

This command configures Microsoft Defender Antivirus to exclude a specific file from scans. By using this command, the malware excludes itself, allowing it to bypass security measures and maintain persistence on the system.

 

This variant of Agent Tesla uses a new method by injecting its code into a legitimate .NET processes. While it can choose any .NET process, in our analysis, it targeted jsc.exe, the JavaScript Compiler executable, which is a component of the Windows operating system responsible for compiling JavaScript code within .NET applications. After bypassing the security measures mentioned earlier, Agent Tesla spawns the chosen .NET process in a suspended state and replaces its memory content with its own malicious code using a method known as process hollowing. This technique conceals the malware's presence, making it significantly more challenging for traditional security tools to detect and remove. By embedding itself within a trusted process, Agent Tesla operates covertly, avoiding detection while continuing its malicious activities. Figure 8 shows FortiSandbox logging this behavior.

 

 

 

injection.PNG

 

 

Figure 8. Process Injection into jsc.exe

 

 

In the final phase, Agent Tesla collects sensitive information from the victim's system including saved credentials from browsers. Additionally, it can record keystrokes, capturing every action the victim takes. Figure 9 shows the behavior logged by FortiSandbox indicating the use of a keyboard hook. The SetWindowsHookEx function allows Agent Tesla to intercept and log keystrokes by capturing keyboard inputs, enabling it to monitor and record all user input on the infected system.

 

 

 

keyboardhook.PNG

 

 

Figure 9. Using SetWindowsHookEx to record keystrokes

 

 

 

FortiSandbox is also capable of detecting behavior when malware attempts to access files containing browser login credentials or other sensitive data, as shown by the indicator generated in Figure 10.

 

 

 

detectlogincred.PNG

 

 

 

Figure 10. Indicator for accessing files that store browser related login credentials or other sensitive data

 

 

 

Table 1 lists the web browsers, email clients, VPNs, and instant messaging applications that Agent Tesla targets to steal their saved credentials. By extracting these credentials, Agent Tesla aims to gain unauthorized access to various accounts and services used by the victim.

 

 

Web Browsers

Email Clients

Virtual Private Networks

Instant Messaging

Opera Software Outlook NordVPN Trillian
Yandex Browser Claw Mail OpenVPN  
Iridium Fox Mail Private Internet Access  
Chromium Opera Mail    
7Star Poco Mail    
Torch Browser eM Client    
ChromePlus Eudora    
Amigo The Bat!    
Brave Browser Becky!    
Cent Browser Windows Mail App    
Chedot Thunderbird    
Orbitum IncrediMail    
Sputnik      
Comodo Dragon      
Vivaldi      
Critio      
360 Browser      
Uran      
Liebao Browser      
Elements Browser      
Epic Privacy Browser      
CocCoc Browser      
Google Chrome      
Microsoft Edge      
UC Browser      
QQ Browser      

 

 

Table 1. List of Targeted Applications

 

In-Depth Analysis

 

To gain a deeper understanding of the malware's final phase behavior, the need to reverse engineer was conducted to gain insights into its operation. 

 

Agent Tesla uses WMI queries to obtain information from the compromised system, including IP address, processor details, operating system version, system name, and username, as illustrated in Figure 11. 

 

 

 

systeminformation.JPG

 

 

Figure 11. Code snippet on how the malware obtain system information

 

 

 

The stolen data is then transmitted back to the malware author via email using the SMTP protocol. Figure 12 shows the hardcoded email address, smith[.]patton2@yandex[.]com, embedded within the malware’s code. This setup guarantees that the compromised information is directed to the attacker’s email account, thereby facilitating the exfiltration of sensitive data from the victim’s system. 

 

 

 

stolenCredentials.JPG

 

 

Figure 12. Code snippet highlighting the email address used to send data back to attacker

 

 

 

 

Threat Mitigation 

  

FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via inline scanning and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats. 

  

 

MITRE ATT&CK 

 

Note: The indicators in observed activity to each MITRE technique are relevant to analyzed campaigns and may change in future campaigns. 

 

TA0001 – Initial Access 

 

Technique ID
Technique Description
Observed Activity
T1566.002 The PDF document ask user into downloading a file The initial PDF document ask the user to download the malicious payload by interacting with the PDF

 

 

TA0004 – Privilege Escalation 

 

Technique ID
Technique Description
Observed Activity
T1055.009 The file writes an executable to process memory Agent Tesla injects its code into a .NET process to avoid being detected

 

 

TA0005 – Defense Evasion 

 

Technique ID
Technique Description
Observed Activity
T1562.001 The file tried to disable/modify settings for Windows Defender Modify Windows Defender to exclude specified file from being scan by Windows Antivirus
T1112 The registry of a system was modified to aid in execution of files Disabling User Account Control (UAC), preventing system from prompting for elevation when applications require administrative permissions

 

 

TA0006 – Credential Access 

 

Technique ID
Technique Description
Observed Activity
T1555.003 The file attempted to access files that store browser login credentials or other sensitive data Agent Tesla searches for each system directory for web browsers, VPNs, email clients and instant messaging software in attempt to read sensitive data

 

 

TA0009 – Collection 

 

Technique ID
Technique Description
Observed Activity
T1056.001 The file attempts to obtain or collect sensitive information Using SetWindowsHookEx function to capture user input to obtain credentials or collect information

 

 

TA0011 – Command and Control 

 

Technique ID
Technique Description 
Observed Activity
T1105 Ingress Tool Transfer Agent Tesla utilizes the SMTP protocol to exfiltrate stolen data back to the threat actor. In this instance, the data is sent to the email address smith[.]patton2@yandex[.]com, which is used to receive the exfiltrated information

 

IOC 

 

Indicator Description 
 
Indicator 
Indicator Type 
Associated Tactic 
Notes 
First Observed 

Initial PDF document 

bf0f5b1b078683e07bae11bf9600ab00 

MD5 hash 

Installation 

Phishing PDF

2024-07-29

f1d5925b4f651a7d09c7ce630c846ddc9350f9023ab46fb94490d0f99a4b9be7 

SHA256 hash 

Executable disguised as a PDF document 

c66cd9de1680610c35ede1b429cf65ce 

MD5 hash 

Installation 

Downloaded executable disguised as a PDF document

2024-07-29

f85e38a26729bcbb500d25250e7fa6674aee53737dcb3347bd077f066a78aef6 

SHA256 hash 

URL

https://internationaluniforms[.]com/Picture%20Drawing

%20Design%E2%80%AEf%E1%A0%8Ed%E1%A0%8Ep%E1%A0%8E[.]zip 

URL

Remote Server

Remote server where the malicious executable is downloaded from

2024-07-29

C2 Server

smith[.]patton2@yandex[.]com 

Email address

Remote Server

Emailing address where the attack sends the stolen data  

2024-07-29

 

 

 

This variant of Agent Tesla is detected by the FortiGuard Antivirus as: MSIL/GenKryptik.GZOT!tr https://www.fortiguard.com/encyclopedia/virus/10185665 

 

And MSIL/GenKryptik.GZQO!tr  

https://www.fortiguard.com/encyclopedia/virus/10185987 

Contributors