Covid AgentTesla

With the world under threat of the COVID-19 aka corona virus, many cybercriminals are taking this opportunity to blend in the chaos. Here we have an email posing to have an order of masks. An important personal protection equipment that is on a very high demand as of this moment. 

Infection Chain Overview

RTF Attachment

• Once the file is opened, it will try to exploit a vulnerability in Microsoft Word to download and execute a file.
  • hxxp://bit.ly/2J9KXAM which resolves to hxxp://posqit.net/GE/5091203.jpg

5091203.jpg

• The downloaded .jpg file is actually a PE Executable file. It is a .NET file so we can use DnSpy to analyze its code. Once executed, it will decrypt a DLL file(DKaQso.dll) using AES from its resource and will load and execute it using Assembly.Load and InvokeMember methods.
• Resource section object named “AL” is the encrypted DKaQso.dll.
• Key and IV used to decrypt the file
• Execute “X” on DKaQso.dll

DKaQso.dll

• The DLL file contains another 3 files in its resource. The 2 image files contain 1 DLL file each.
  • 1.bmp -> LOL.dll which is embedded in an image.
  • SourceTIASK .bmp-> 26.dll. which is compressed and embedded in image.
  • IsConsoleEnabledsANCK -> AgentTesla binary payload which is compressed and encrypted.
  • 
• It uses the Bitmap Class to get the embedded DLL in the BMP file which is a form of Steganography.Here we have an image of a snippet code which gets the first pixel and get the color.B property.The byte is equal to “0x4D” which is equal to M, the start of the MZ header in PE files.It will perform a loop on each pixel and get the byte in the color.B property to form the the DLL file. In the case of 26.dll, once the file is taken out of the image, it will be decompressed.

LOL.dll

• Once loaded and executed, the files task is to create a persistence mechanism for the malware. It checks for files and folders related to Anti-Malware vendors and creates the necessary files for its persistence mechanism.
  • If the following files exist in the system, it will create .js file in the startup folder:
    • C:Program FilesAVAST SoftwareAvastavastUI.exe
    • C:Program Files (x86)AVAST SoftwareAvastavastUI.exe
    • C:Program FilesAVGAntivirusAVGUI.exe
    • C:Program Files (x86)AVGAntivirusAVGUI.exe
      Content of the .js file: var nPiCCaK = new ActiveXObject(“Shell.Application”); nPiCCaK.ShellExecute(“%MALWARE PATH%”, “”, “”, “Open”, “1”);
    • If the following folder exist in the system, it will create a shortcut link in the startup folder.
      • C:Program Files (x86)KasperSky Lab
      • FilesKasperSky Lab -> folder path contains the string
    • If windows Windows Defender exist in the system, it will create a registry entry that is linked to the malware executable path
      • “SOFTWAREMicrosoftWindowsCurrentVersionRun”

26.dll

• This DLL is responsible for injecting the payload on Regasm.exe.
• It checks for the following directory related to Anti-Malware vendors:
  • C:Program FilesAVAST Software
  • C:Program Files (x86)AVAST Software
• It also checks for the following strings related to Anti-Malware vendors:
  • BullGuard
  • a2guard
  • drweb
  • vssery
  • AVGUI
  • bdagent
  • odscanui
  • bdredline
• It also checks for Windows Defender

Payload

• The main payload of this infection chain is a variant of AgentTesla. The strings used by this malware is encrypted using AES.
• Using the info of its decryption routine,we can try and decrypt the strings it uses. Here we have the SMTP account and server it uses.