General recommendations.
- Enforce robust policies and make sure they are aligned across all channels. For example, should you choose to block.
- Remember that CDRs and its likes cannot provide proper detection for most collaboration channels. Striping out “active content” is irrelevant for exe files which should be examined without any tampering of the file or URL.
- Strive to scan all content dynamically. Static engines are limited in their capabilities to find unseen-before attacks.
Perception Point is perfectly poised to intercept these attacks. Our 360-degree threat prevention services allow us to protect any collaboration channel – email, cloud storage, CRM app, or even your in-house built app – and prevent any content-based attack.
Malware Campaign 1: Agent Tesla.
OVERVIEW.
The malware is sold as an attack kit on the internet and is aimed at stealing personal information such passwords from web browsers, mail clients and FTP software. It can be extended with modules that take screenshots, open the webcam and evade detection from AV software.
ANALYSIS.
The software is written in .net and on initial execution does nothing for 60 seconds, this is most probably to evade sandboxes that dynamically detonate the file. Then it tries to steal as many passwords and configuration files from installed software on the host system. The stolen information is then transmitted to a C2 server on port 567, probably to appear as legitimate SMPT traffic.
Behavior IOCs are in the appendix A.
IOCS.
- Filename: IMF-Pandemic Relief and unemployment compensation Form.exe
- sha256: 7969aa0b9f3d1dcb4c76e7e6746fdb38ec4f21caf9c9d63abd6d9870ab73ec6a
- sha1: e7311c0c34ce97b57336a249d792f20ef97cfc6e
- md5: ae0a9ad851282453a057c185c7982e81
DNS REQUESTS.
- Domain: smtp.maizinternational.com
CONNECTIONS.
- IP: 208.91.199.224
Malware Campaign 2: Tesla Agent.
OVERVIEW.
This variant is very similar to the previous one except it doesn’t perform the initial delayed execution but instead tries to avoid detection in a different manner, by using a code injection technique known as Process Hollowing. The file is shared in relations to “delay in the shipment due to the Coronavirus disease”.
It executes the binary C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe and injects its malicious code into it. This method tries to fool AV software because the executable belongs to Microsoft, however what actually executes in the memory is Agent Tesla.
The behavior is similar to the Behavior IOCs as the previous campaign in this report and can be found in Appendix A.
IOCS.
- Filename: Shipping Documents.exe
- sha256: c2e306da97bee475cbff69fe2f83bf810afca62a7e56791c06455b0e43f4cec5
- sha1: 40ee4672cad326b7b5b93159d9a243c0d92fe01f
- md5: b0b7448e08fa1622bc39f09b0e17b82e
DNS REQUESTS.
- Domain: mail.elkat.com.my
CONNECTIONS.
- IP: 110.4.45.37
Appendix A: Behavior IOCs.
FILES ACCESSED DURING RUNTIME.
C:\%insfolder%\%insname%
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data
C:\Program Files\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Administrator\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Administrator\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Administrator\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Administrator\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Administrator\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Administrator\AppData\Local\Iridium\User Data
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data
C:\Users\Administrator\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Administrator\AppData\Local\Torch\User Data
C:\Users\Administrator\AppData\Local\7Star\7Star\User Data
C:\Users\Administrator\AppData\Local\Amigo\User Data
C:\Users\Administrator\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Administrator\AppData\Local\CentBrowser\User Data
C:\Users\Administrator\AppData\Local\Chedot\User Data
C:\Users\Administrator\AppData\Local\CocCoc\Browser\User Data
C:\Users\Administrator\AppData\Local\Elements Browser\User Data
C:\Users\Administrator\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Administrator\AppData\Local\Kometa\User Data
C:\Users\Administrator\AppData\Local\Orbitum\User Data
C:\Users\Administrator\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Administrator\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Administrator\AppData\Local\Vivaldi\User Data
C:\Users\Administrator\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Administrator\AppData\Local\liebao\User Data
C:\Users\Administrator\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Administrator\AppData\Local\QIP Surf\User Data
C:\Users\Administrator\AppData\Local\Coowon\Coowon\User Data
C:\Users\Administrator\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Administrator\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Administrator\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Administrator\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Administrator\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Administrator\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Administrator\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Administrator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Administrator\AppData\Roaming\Pocomail\accounts.ini
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Users\Administrator\AppData\Roaming\Postbox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Postbox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Administrator\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Administrator\AppData\Roaming\Psi\profiles
C:\Users\Administrator\AppData\Roaming\Psi+\profiles
C:\Users\Administrator\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Users\Administrator\AppData\Roaming\CoreFTP\sites.idx
C:\FTP Navigator\Ftplist.txt
C:\ProgramData\APPDATA\ROAMING\FLASHFXP\3QUICK.DAT
C:\Users\Administrator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\cftp\Ftplist.txt
C:\Users\Administrator\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files\jDownloader\config\database.script
REGISTRY KEYS ACCESSED DURING RUNTIME.
HKCU\Software\Aerofox\FoxmailPreview
HKCU\Software\Aerofox\Foxmail\V3.1
HKCU\Software\IncrediMail\Identities
HKCU\Software\Qualcomm\Eudora\CommandLine
HKCU\Software\RimArts\B2\Settings
HKCU\Software\OpenVPN-GUI\configs
HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKCU\Software\DownloadManager\Passwords