Fake Purchase Order Used to Deliver Agent Tesla

Thanks to Val Saengphaibul who helped contribute to this blog.

FortiGuard Labs Research

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Compromised machines are under the control of the threat actor
Severity Level: Medium

Since the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.

FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals. The e-mail contained a PowerPoint attachment that is in reality a sophisticated, multi-stage effort to deploy the Agent Tesla RAT (Remote Access Trojan).

What makes this campaign unique is the usage of PPAM, which is a file format that is not very common. A PPAM is a Microsoft PowerPoint add-in that gives developers extra functionality, such as extra commands, custom macros, and new tools. This blog will detail the infection process and subsequent malware deployment.

Examining the phishing e-mail

Like so many computer-based attacks, this one began as a phishing e-mail sent to an organization in Ukraine.

Figure 1. E-mail to the target recipient.

Spelling and grammar issues aside, like most good phishing campaigns this one provides a time sensitive statement urging the recipient to urgently review the attached order.

Looking deeper at the e-mail and where it came from, we can see some additional information in the headers.

Figure 2. E-mail headers showing the origin of the message.

Figure 2b. Parked page.

The e-mail originated at an address of 194[.]99[.]46[.]38 that corresponds to slot0.warongsoto.com. This is hosted on a run-of-the-mill VPS server. Visiting the server, we noticed that the site states that the server control panel is controlled by VESTA. Recent CVE data highlights that Vesta Control Panel is affected by remote command execution and elevation of privilege vulnerabilities that ultimately allow for full compromise of the system (CVE-2020-10786 and CVE-2020-10787).

The domain itself appears to be either abandoned or at least unused with no active content hosted. It was registered in the United States in October 2021.

The originating e-mail address does not appear to reference an actual individual and a search for other instances of this being used elsewhere came up empty.

Examining the dropper – stage 1

Phase 1

Dropping the final payload occurs in multiple phases, making this, in actuality, a very complex operation. As shown in Figure 1, attached to the e-mail is the file “order001.ppam”. This is an add-in file format used by Microsoft PowerPoint that, in this case, contains a malicious macro that acts as a dropper for Agent Tesla.

The first phase of stage 1 begins with opening the PPAM attachment to activate the macro contained within.

Figure 3. Visual Basic macro contained within “order001.ppam”.

Once the macro is executed, it will reach out to the URL shortener Bit.ly to download the next phase of the dropper. The address used is: hXXp://www[.]bitly[.]com/awnycnxbcxncbrpopor/

Phase 2

The call out to Bitly will be redirected to a location on MediaFire – a file hosting site (hXXp://download2261[.]mediafire[.]com/6lcqxbws032g/wctsdmx4dsh95xs/19.htm). As possibly inferred, this was a campaign and not simply directed at one recipient. There were multiple files made available over several days, as shown below in Figure 4.

Figure 4. MediaFire repository showing multiple other files from this campaign.

Each of the files is very similar (with minor tweaks) to the download location of the next step. Figure 5, below, shows 19.htm as it appears if downloaded directly. 

Figure 5. HTM file as it appears when downloaded.

If we arrange the file into a more readable format, we get a better sense of what it’s trying to do.

Figure 6. Key part of the HTM file.

As seen in Figure 6, the file attempts to taskkill several applications and services followed by adding a scheduled task into the Windows Task scheduler. The script then attempts to download and execute another file from MediaFire – hXXp://www[.]mediafire[.]com/file/otza6n31talvvle/19.dll.

Phase 3

While the file extension gives the impression of a Microsoft dynamic link library (.dll), 19.dll is in actuality a PowerShell script containing instructions in a large amount of hexadecimal data.

Figure 7. HTM file as it appears when downloaded.

Once executed, the hexadecimal data will be transformed into additional PowerShell commands that will run in memory. For example, new registry keys will be added to assist with persistence.

Figure 8. Added entries to the Windows Registry.

If captured and reviewed, the entries that stand out the most are two large, compressed byte arrays — $nona and $STRDYFUGIHUYTYRTESRDYUGIRI.

Figure 9. Large byte arrays.

As can be seen in Figure 9, the byte arrays are then decompressed for use. Once decompressed, these can be saved as executable Windows files. $nona is the larger of the two and is Agent Tesla. $STRDYFUGIHUYTYRTESRDYUGIRI will inject Agent Tesla into a running Windows process.

Renaming 19.dll to 19.ps1 allows it to be executed as a normal PowerShell script. With this particular sample, it will attempt to launch and then inject Agent Tesla into the aspnet_compiler.exe application.

Figure 10. On the left, the PowerShell script can be seen to be launching aspnet_compiler.exe

Examining the malware – stage 2

At its core, Agent Tesla is a keylogger and RAT (Remote Access Trojan). It will take any results captured from the keyboard and clipboard and send them back to its C2 (Command and Control) server. In this instance, once injected into the aspnet­_compiler.exe process Agent Tesla will be up and running. With entries in the registry it will have persistence to run even if the host machine is rebooted.

Figure 11. Agent Tesla running inside a debugger.

As can be seen in Figure 11, this variant is similar to one FortiGuard Labs has analyzed  previously.

From this point, it will run in the background and observe the user, recording their actions and sending them back to the threat actor.

Figure 12. Typical connection cycle to Agent Tesla’s C2.

Conclusion

Threat actors for the most part like to use lures that are tried and true, as was the case here with the invoicing phishing e-mail, because they continue to enjoy success. The dropper attached to the phishing e-mail shows the continuing evolution and complexity required to evade modern security controls combined with the need to traverse several gates to arrive at the release point for the final payload.

Once finally deployed to a system, the ability to obfuscate and hide inside everyday files and processes proves that Agent Tesla is a very capable and formidable threat. Unfortunately, this trend towards increasing sophistication is unlikely to abate any time soon.

Fortinet Protections

FortiMail’s integrated antivirus, sandbox, and content disarm and reconstruction (CDR) functions detect and disable this malicious attachment. The FortiGuard Antivirus service detects and blocks this threat as:

  • VBA/Agent.GBX!tr
  • JS/Agent.YHB!tr
  • PossibleThreat.PALLAS.H

The domain warongsoto.com is blocked by the Web Filtering client. 

IOCs

Sample SHA-256:

 

Fileless Tesla SHA256

F69B85F5763CEC5A5DA5CE1152038FFEEF7A2A75600003ADBFEB3DC87502C8A8

B409FF4CD1B8F18E80AFA98B3306440391FB5CBE294E6DA14E8146F63ECA2C6C

34EEEDAB0ABBEB1BAFFCCFDAEF74E54A7786F24BC5024B2F23A6F9385FEC9917

6449D03A519CAB4B7C4E19D53D57A16AE69B70D7DF6BE815BCB57DC7395AB991

E77DCCCB70AD61D50AC7E8C5DA1F79D5BC22B1F42A6651252EB449241BD6068B

C7840150DC084B1E0F6961EC61C39793BBED40FE17A7E24124DFE07F2C1A7B40

F4542569E3F54CBC93AB835567507242DDDCAE2A84743DA103332EEFF3501ABD

851CC3973B096C8DA88E1EDB568C17750D019CA7F2528B3DA933D33D7F306A46

C0C3A9CBDC769F3B86EAB40A9032769FE61E5E9B93CE7A93A0CC02EF43D4B9B5

256F7CC33E3E359427702FF79E59C5EEA73164CC74D96B6F24E6BE19B62500E7

445E6D6EBA924CC86005C107F329B248997AAC4149FBBD540A656FBA50A68C19

D321AF1AF7D8B0A19B87897938B23ADB57C9089B73F2C15E0E2747B0071D1715

822F2266CA284C5318E75C1286F7B4ED746E9289323B57462E227ED8D4D1AC8F

399B6B1AED4B62C165FE074DD9A43DEC0F0E1D5A50C89BFCA4A902CBFDBC17D5

6BCDC49281217C3D8A82ED29A6BC89154885B08954AC3F78FA11BB09BF34A109

1DF27F8D8B8572CB76D7275D7FE686C88F4297DA39095C1399B1E55459DFFDF6

49BF5F9D59C27291FCB0D9F0C593DCB00CA9705E5D294E9C55353BDEFBC37273

A155AB7DB6D22A44487D909BB040F5300B6E24283CDB7D7D902E7CE5CDD533BB

FD210DFB8C2F3B33FEEE191608EF58DD2816F08E9850DB734143115BA199690E

5F53A249455BB903C2C57A5CE23BFA6D069966034F74947A70037DEB1459DC88

AD3BE25985B1DFA0A72C7CE59365F2AE7142FB4B2A78B7905D10AEB13998DDD4

9783473EFECA3003D6A1B8DB8FE0E1A8AA291F170110D974C058806A25B4C419

B1043F48E99EF5B98F4987E1FFD3200CD6A32B3427BA2762310FDEA58934D95C

3E99AA348FAFFDF2D73867C47067EA17A96CA36E5329E30C3A37F45B4274D165

0ABBD4F17EC6DEDEFA188E39501B923286C56627ACB87FEC73271E459A383D0D

 

Filename

SHA256

Order001.ppam

DCA3AC723A130E56FB158C34C68E1C4B7D8577D0DBE9D8B859BFFF7ADA34D02E

Loader

4C0E2CB721585C480169B3804E17E2761BC5FE76584CF1375FCCDB33CA64D5A5

 

Network IOCs:

192[.]154[.]226[.]47

hxxps://www[.]mediafire[.]com/file/s2w0i5rhl9e4wje/1.dll

hxxps://www[.]mediafire[.]com/file/u8t0g2vyrvoyldp/10.dll

hxxps://www[.]mediafire[.]com/file/hheln09oi15b266/11.dll

hxxps://www[.]mediafire[.]com/file/mra2u90srnmymxl/12.dll

hxxps://www[.]mediafire[.]com/file/e7fmuc053m1vdz5/13.dll

hxxps://www[.]mediafire[.]com/file/l3xh5g98wf5l4gv/14.dll

hxxps://www[.]mediafire[.]com/file/5d7sd1qat59dtpy/15.dll

hxxps://www[.]mediafire[.]com/file/2tpkh278oypz794/16.dll

hxxps://www[.]mediafire[.]com/file/hjjo0rc7izwy4is/17.dll

hxxps://www[.]mediafire[.]com/file/wy0e3mn2xyaqdhd/18.dll

hxxps://www[.]mediafire[.]com/file/otza6n31talvvle/19.dll

hxxps://www[.]mediafire[.]com/file/dsgxrjtpbyyzm7u/2.dll

hxxps://www[.]mediafire[.]com/file/mf3pufkmdshddyq/20.dll

hxxps://www[.]mediafire[.]com/file/ijdnf0wqv4e5frr/21.dll

hxxps://www[.]mediafire[.]com/file/c9gt9xi3l9srlhi/22.dll

hxxps://www[.]mediafire[.]com/file/pqk7p5p1vvcv5s1/23.dll

hxxps://www[.]mediafire[.]com/file/mqbl43fcem1fndd/24.dll

hxxps://www[.]mediafire[.]com/file/xz0guzs3g004f0i/25.dll

hxxps://www[.]mediafire[.]com/file/qe4ece114vu4n0o/3.dll

hxxps://www[.]mediafire[.]com/file/wbh1kq3u82mcso6/4.dll

hxxps://www[.]mediafire[.]com/file/x0o4nlef7snbixu/5.dll

hxxps://www[.]mediafire[.]com/file/xrnlyn4pjcmcfyf/6.dll

hxxps://www[.]mediafire[.]com/file/qbzdrs7ulvvzfay/7.dll

hxxps://www[.]mediafire[.]com/file/9q41qxg988c3opx/8.dll

hxxps://www[.]mediafire[.]com/file/xxbskabqkber6oq/9.dll

 

Mitre TTPs

Resource Development

 

Stage Capabilities: Upload Malware

T1608.001

Initial Access

 

Phishing: Spearphishing Attachment

T1566.001

Execution

 

Command and Scripting Interpreter: PowerShell

T1059.001

User Execution: Malicious File

T1204.002

Persistence

 

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

 

Process Injection: Portable Executable Injection

T1055.002

Reflective Code Loading

T1620

Credentials Access

 

Credentials from Password Stores: Credentials from Web Browsers

T1555.003

Input Capture: Keylogging

T1056.001

Discovery

 

Account Discovery

T1087

Command and Control

 

Application Layer Protocol: Web Protocols

T1071.001

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

http://feeds.feedburner.com/fortinet/blog/threat-research

Leave a Reply