Severity

High

Analysis Summary

Researchers have found latest Agent Tesla malware, focusing on its newest infection chain, which uses a long and complex process to deliver the final payload. It starts with a phishing email with an RTF attachment. This RTF document contains file embedded OLE objects, which in turn each contain an OOXML package. Users are prompted by each of these objects to enable macros in order to execute the VBA code inside the OOXML packages. The VBA code is highly obfuscated to the point that it was unable to be analyzed by malware analysis tools. Manual debugging shows that, in combination, the VBA code parts build a PowerShell blob. This PowerShell is also obfuscated to hinder analysis. It has two purposes: bypass AMSI and download a file. The downloaded file is an Agent Tesla executable. It first establishes persistence via a scheduled task. It then disables task manager. Finally, it steal WiFi passwords and application credentials. These credentials are exfiltrated via SMTP using a hardcoded email address and password. The researchers note that a similar infection chain has been seen in the past, but it was previously distributing Lokibot. 

Impact

• Credential theft
• Information theft

Indicators of Compromise

SHA-256

• 840a22c718e33120f6e47c310497148ca903912a46458fbf9f21edc8976074ce
• 842ad0c1407a7c87c9f76a7a55d56f36dfef501495f56dbad4d28f04b807b63a
• b0f8dd641769a080b640dbaa2666b5982344642335372ee4680fa5a6e771991d
• ce212984a9ed60ef6015bfb2f930a0f501a2f6f373c9fa68af54fe8f68d4de9e
• c03f438d814bd52be15b47743b44519263aaeded731dcfac7e9070628a41d70a
• 20ae23fa54d2f997c50f85b9977899255822fbe200e17d933b430561adcd1e12
• 859a9f0c613775907c2cda4d946159e7991ee6f9be430fe5658e95e7e5a0388b
• a60c7244206b635d18c244028c1b1dc4c07da716e0ff78529692bc667f117195
• 2bbc9c51a29557cf8934de723236bf2f5683391d3d57d7d86410221d30b53bd3
• 3fe1d15c026ad8fa1c510ac3d4982f38be59e84cef34119fff0aad6fad35bc54
• f11ee07c633a0ad6a88ec9cb3e798dda02d6459b5eb35eb00d403d8445b0c554
• 402f2be1b65ae460898ccbf47a475430cc5c64c548228481ad062934f6a85aa2
• eec9b14da6a2745f089361002429d13b044d66dedf944e951b39f9d243ae3df9
• 786f2eaa675e1ee953a159eb4a4ccb734b1adf16ede28dd7b801df9a612a4167
• fd26d992e3014118d345027e8a3c482519d75ef0fda12241d244e3a80abeda67
• 2f9d34c9752df5565c79ed5d0dab3e4c48f5c3de22f54180388a90e3e0b30c9a
• d8be93b858f4ddfe0f6dab717e269665a56d862b86781da908fafa31be2ec509
• 518eb357618f85a419cdeba49b45f8a98441a6a2df1edebb2376cd0a0e98f56f
• 256777b273432143492346edc89f678e386cb4569e8fd48645e28245977f5856
• 6d0636869e65966bbb79fb58a0af016e9af41420978a43b5c2eb1ed462a24724
• a114858d777f74faafadca52424a9fca33426dc5f3c4777453348e359115ac6d
• bf36d5e468b5c654a47ebf07b4a0ef9e192307674960f7fdf22d6e3cb3e85177
• 6189ddb04b9bbb45474ed48c6685d316c06458da3d9b430727ade08cc344f235
• dc1b5e7c4aeb32c2370fc03983502639d31c2c4fdecdb12b6248351daa38129a
• d7f2a3ec1aae489bc44b7819ce6f4e5029282b8f8d2064fccfe1804278c38d11
• d6779d721788c2826a9cd43cb01c3279c8aaca4a3210c5331125c08a9be32557
• 1a8ee2fcf777abbcc6d3eda5a52f5cdb2269cc8a6e7e339b01c04d47138bb702
• a16cdca08584f03a1deaefa94393914bb317e80bd2a2b9f5da7c0b4355a1fddd
• 52f2e17287a2f975d30fdda43b44c67b5f70a168ccf97696b7d95a962d46dd7a
• 167760bf97f12f6ef1d66ca2db17a5a0ed2d594f86f3d8716c83e7d66d502f3e
• 0d873ad2a42333ee77bb18bb92c920afe94fe3c108de28fc4bb89901eb12161c
• 8ac06f7b667d0ae9fc2e0940efba2d580af0dab54825275b7f85cb5ac37c6f05
• e5ade604474407fc742a5b99996b1aae86695493eb71d5fc2478fb78238a0799
• c4d7f76ca3ccc9a7f8763e4688cc2660a1164674f14c86fd384153b5e2fa566f
• b2c6e93875ed9728da141566603ad47a71a82d3867313744ceca367158c2b20c
• 356c459692775dae1f20998c5d39f51a4b94ac01de509fa609844eee8adab19f

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.