The Spyware Is Part of an Ongoing Phishing Effort that Uses Microsoft PowerPoint Slides.
Last updated on June 9, 2022
Agent Tesla initially detected in late 2014, is a known spyware aimed at collecting sensitive data from a victim’s device, such as stored application credentials and keyboard inputs (keylogger).
Agent Tesla is a.Net-based information-stealer that has been roaming the internet for many years but continues to pose a hazard in the hands of phishing actors.
Spyware is a type of malware designed to collect and steal the victim’s sensitive information, without the victim’s knowledge. Trojans, adware, and system monitors and are different types of spyware. Spyware monitors and stores the victim’s Internet activity (keystrokes, browser history, etc.) and can also harvest usernames, passwords, financial information, and more. It can also send this confidential data to servers operated by cybercriminals, so it can be used in consequent cyber attacks.
A new form of the Agent Tesla virus has been discovered as part of an ongoing phishing effort that uses Microsoft PowerPoint slides loaded with malicious macro code.
Fortinet analysts note that in the most recent effort, threat actors are purportedly targeting Korean users with emails containing “order” data.
Because the attachment is a PowerPoint file, the odds of convincing the recipients that they need to “enable content” in Microsoft Office to fully see it improve.
When the file is accessed, it does not display any slides but instead begins an auto-run VBA code that requests the execution of a remote HTML resource at a remote site.
After executing the escaped VBScript code, the actor can utilize a variety of scripts, including PowerShell, to deploy Agent Tesla invisibly.
Fortinet has spotted the following scripts and their role:
VBScript-embedded-in-HTML – upgrades the malware every two hours (if available) by adding a command-line command into Task Scheduler.
Standalone VBS file – downloads a new base64-encoded VBS file and adds it into the Startup folder for persistence.
Second standalone VBS – downloads Agent Tesla and crafts PowerShell code.
PowerShell code – executes to call a new function “ClassLibrary3.Class1.Run()” that performs process-hollowing, passing the Agent Tesla payload in memory.
Through four Windows API methods, the virus is injected into the legal Microsoft.NET RegAsm.exe executable. Agent Tesla may run in the infected system fileless by injecting the file into RegAsm.exe, reducing the chances of detection dramatically.
Agent Tesla features a keylogger, a browser cookie and saved credentials stealer, a Clipboard data sniffer, and even a screenshot tool.
The attacker can choose which features to enable during the payload compilation, thus choosing between a balance of power and stealthiness.
As explained by BleepingComputer the researchers discovered that Agent Tesla can steal data from over 70 applications:
When it comes to data exfiltration, the virus has four options: HTTP Post, FTP upload, SMTP, and Telegram.
Each packet delivered has a number that denotes its kind, and there are seven different types of packets, as stated below:
Packet “0”: This is the initial packet that informs the attacker that Agent Tesla has begun. It simply carries “header” information.
Packet “1” is transmitted every 120 seconds. It functions similarly to a heartbeat in informing the attacker that Agent Tesla is still alive. It simply carries “header” information.
Packet “2”: It is sent every 60 seconds and only contains the “header” data. Agent Tesla reads the response and checks if it contains “uninstall”. If yes, it uninstalls Agent Tesla from the victim’s system, including deleting all files made by Agent Tesla and removing keys from the registry that Agent Tesla created, and exits the process.
Packet “3”: It sends the victim’s keystrokes (keylogger data) and stolen clipboard data within the “data” part of the post.
Packet “4”: It sends captured screenshots of the victim’s screen within the “data” part of the post.
Packet “5”: It sends the credentials stolen from the software clients within the “data” part of the post.
Packet “6”: It delivers cookies files, in the form of a ZIP archive, that is gathered from browsers and incorporated in the post’s “data” section.
For example, you may want to consider HeimdalTM Security’s Heimdal™ Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.