Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis

By Splunk Threat Research Team November 16, 2022

Agent Tesla is a remote access trojan (RAT) written for the .NET framework that has knowingly been in operation since 2014. Threat actors behind this malware have leveraged many different methods to deliver their payload over time including macro enabled Word documents, Microsoft Office vulnerabilities, OLE objects and most recently, compiled HTML help files. Agent Tesla has been in the top 10 most submitted samples in known open malware source repositories in cyber security communities like Malware Bazaar and Any.run. It is a full-featured RAT with multiple ways to exfiltrate organization data through keylogging, screen captures, credential stealing and much more.

In this blog post, the Splunk Threat Research Team (STRT) describes the different tactics, techniques and procedures mapped to the ATT&CK framework leveraged by this remote access trojan. Additionally, we will highlight the detection analytics we released that can help cyber defenders in identifying signs of compromise.

Analysis

Identification of Samples

For this analysis, the STRT started the journey with a sample uploaded by JAMESWT_MHT on August 31st to Malware Bazaar. This sample led us to the "ftp-boloni-ma" tag that compiles several samples of a campaign leveraging the Agent Tesla malware. Specifically, this campaign used a malicious compiled HTML (.CHM) file as a delivery method to drop and execute its first and second stages and load the remote access trojan.

High level flow of process execution for this sample is shown on Figure 1:

Figure 1.1 shows the list of hashes that have this tag.

Security teams that would like to understand how the execution of compiled HTML files looks like against their prevention or detection controls, we recommend having a look at the AtomicTestHarness for CHM and the Atomic Red Team technique T1218.001 built by the Red Canary team.

T1566.001 - Spear Phishing Attachment

This Agent Tesla variant uses a compiled HTML file (.chm) to conceal its malicious code and gain an initial foothold on the victim endpoint. The file has an embedded and obfuscated JavaScript script that invokes PowerShell to download a second stage.

Figure 1.1 shows the .chm file loading upon execution.

Figure 1.2 shows the obfuscated and deobfuscated versions of the embedded Javascript code. Once executed, it will invoke PowerShell.exe to download extra content from the Internet using the System.Net WebClient class and the DownloadString method.

The Loader

T1059.001 - Command and Scripting Interpreter: PowerShell

The downloaded file, disguised as a text .txt file, is in reality a PowerShell script shown on Figure 2. This obfuscated second stage script is the one responsible for loading the actual Agent Tesla malware in memory.

The variable named $TzbW contains a string that when deobfuscated, implements the tMCfkSD function also shown on Figure 2. This function will in turn deobfuscate and decompress the array of bytes stored in the variable named $zmOo. This deobfuscated and decompressed version is the actual .NET assembly Agent Tesla malware that will be executed in memory using PowerShell reflection.

Figure 2 shows the main parts of this second stage component and the gzip decompression function.

Figure 2.1 shows a screenshot of a simple python script we wrote to deobfuscate the PowerShell function Agent Tesla's second stage uses to decompress and deobfuscate the binary stored in the $zmOo array byte variable. The python script can be found on Github agent_function_loader_deobfus.py

This loader will deobfuscate and load the Agent Tesla malware in memory stream using .NET Reflection. This part of its execution can be considered as fileless malware since it doesn't drop the AgentTesla malware on the disk but executes it in memory stream.

Figure 2.2 shows the python script we wrote to extract the actual AgentTesla malware binary. This python script will drop the Agent Tesla malware as agent_unpack.bin in the current working directory. The script can be found on Github agent_function_loader_deobfus2.py.

Agent Tesla Analysis

Packer/ Obfuscator

The Agent Tesla sample extracted in the second stage component is a .NET compiled binary obfuscated with the opensource Obfuscar .NET obfuscator. Using the DIE tool we can identify the obfuscation method and the compilation type of this file in Figure 3. Adversaries will pack or obfuscate their payloads in hope that it evades critical controls like mail gateways, sandboxes and anti-virus software.

Discovery - TA0007

T1033 - System Owner/User Discovery

On every check in to the command and control server (via the FTP, HTTP or SMTP protocols), this Agent Tesla sample parses and submites the user name, computer name, operating system version and total physical memory of the compromised endpoint.

^{Figure 4}

Execution - TA0002

T1204.002 - Malicious File

This particular Agent Tesla sample includes the ability to download a remote file from one of its C2 servers and save it to the hardcoded path "%temp%\LUU". The final step of the function will also execute the downloaded file. Unfortunately the URL was inaccessible as of writing.

Figure 4 shows the code snippet of how it captures the system information of the compromised machine as part of its C2 communication.

Persistence - TA0003

T1547.001 - Registry Run / Startup Folder

If enabled, Agent Tesla has two built in persistence mechanisms to be able to load itself upon boot. It is either by dropping a copy of itself in the %startup folder% or by adding registry run keys.

Figure 5.1 and Figure 5.2 shows a short code snippet how it can create Registry Run Keys and possible entry on startup folder for its persistence(T1547.001).

^{Figure 5.1}

^{Figure 5.2}

Credential Access - TA0006

Agent Tesla implements several techniques to collect sensitive information on the compromised endpoint.

T1555.003 - Credentials from Web Browsers

The first technique is parsing credentials or sensitive browser data. Agent Tesla includes a list of targeted browsers to parse the login credentials, browser cookies, browser profiles and grab browser .sqlite database files. Figure 6 shows a short code snippet of the function renamed as "mw_parsing_browser_db" that contains the list of browsers that Agent Tesla attempts to parse or copy the "cookies.sqlite" database file.

Below is a complete table list of targeted browsers.

Targeted Browsers (Browser Name, Browsers Target Directory)

"Firefox", "%APPDATA%\\Mozilla\\Firefox\\" "IceCat", "%APPDATA%\\Mozilla\\icecat\\" "PaleMoon", "%APPDATA%\\Moonchild Productions\\Pale Moon\\" "SeaMonkey", "%APPDATA%\\Mozilla\\SeaMonkey\\" "Flock", "%APPDATA%\\Flock\\Browser\\" "K-Meleon", "%APPDATA%\\K-Meleon\\" "Postbox", "%APPDATA%\\Postbox\\" "Thunderbird", "%APPDATA%\\Thunderbird\\" "IceDragon", "%APPDATA%\\Comodo\\IceDragon\\" "WaterFox", "%APPDATA%\\Waterfox\\" "BlackHawk", "%APPDATA%\\NETGATE Technologies\\BlackHawk\\" "CyberFox", "%APPDATA%\\8pecxstudios\\Cyberfox\\" "Opera Browser", "%APPDATA%\\Opera Software\\Opera Stable" "Yandex Browser", "%APPDATA%\\Yandex\\YandexBrowser\\User Data" "Iridium Browser", "%APPDATA%\\Iridium\\User Data" "Chromium", "%APPDATA%\\Chromium\\User Data" "7Star", "%APPDATA%\\7Star\\7Star\\User Data" "Torch Browser", "%APPDATA%\\Torch\\User Data" "Cool Novo", "%APPDATA%\\MapleStudio\\ChromePlus\\User Data" "Kometa", "%APPDATA%\\Kometa\\User Data" "Amigo", "%APPDATA%\\Amigo\\User Data" "Brave", "%APPDATA%\\BraveSoftware\\Brave-Browser\\User Data" "CentBrowser", "%APPDATA%\\CentBrowser\\User Data" "Chedot", "%APPDATA%\\Chedot\\User Data" "Orbitum", "%APPDATA%\\Orbitum\\User Data" "Sputnik", "%APPDATA%\\Sputnik\\Sputnik\\User Data" "Comodo Dragon", "%APPDATA%\\Comodo\\Dragon\\User Data" "Vivaldi", "%APPDATA%\\Vivaldi\\User Data" "Citrio", "%APPDATA%\\CatalinaGroup\\Citrio\\User Data" "360 Browser", "%APPDATA%\\360Chrome\\Chrome\\User Data" "Uran", "%APPDATA%\\uCozMedia\\Uran\\User Data" "Liebao Browser", "%APPDATA%\\liebao\\User Data" "Elements Browser", "%APPDATA%\\Elements Browser\\User Data" "Epic Privacy", "%APPDATA%\\Epic Privacy Browser\\User Data" "Coccoc", "%APPDATA%\\CocCoc\\Browser\\User Data" "Sleipnir 6", "%APPDATA%\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer" "Opera", "%APPDATA%\\Opera Software\\Opera Stable" "Comodo Dragon", "%APPDATA%\\"Comodo\\Dragon\\User Data" "Chrome", "%APPDATA%\\Google\\Chrome\\User Data" "Yandex", "%APPDATA%\\"Yandex\\YandexBrowser\\User Data" "SRWare Iron", "%APPDATA%\\"Chromium\\User Data" "Torch Browser", "%APPDATA%\\"Torch\\User Data" "Brave Browser", "%APPDATA%\\"BraveSoftware\\Brave-Browser\\User Data" "CoolNovo", "%APPDATA%\\"MapleStudio\\ChromePlus\\User Data" "7Star", "%APPDATA%\\"7Star\\7Star\\User Data" "Epic Privacy Browser", "%APPDATA%\\"Epic Privacy Browser\\User Data" "Amigo", "%APPDATA%\\"Amigo\\User Data" "CentBrowser", "%APPDATA%\\"CentBrowser\\User Data" "CocCoc", "%APPDATA%\\"CocCoc\\Browser\\User Data" "Chedot", "%APPDATA%\\"Chedot\\User Data" "Elements Browser", "%APPDATA%\\"Elements Browser\\User Data" "Kometa", "%APPDATA%\\"Kometa\\User Data" "Citrio", "%APPDATA%\\"CatalinaGroup\\Citrio\\User Data" "Coowon", "%APPDATA%\\"Coowon\\Coowon\\User Data" "Liebao Browser", "%APPDATA%\\"liebao\\User Data" "QIP Surf", "%APPDATA%\\"QIP Surf\\User Data" "QQ Browser", "%APPDATA%\\"Tencent\\QQBrowser\\User Data" "UC Browser", "%APPDATA%\\"UCBrowser\\" "Orbitum", "%APPDATA%\\"Orbitum\\User Data" "Sputnik", "%APPDATA%\\"Sputnik\\Sputnik\\User Data" "uCozMedia", "%APPDATA%\\"uCozMedia\\Uran\\User Data" "Vivaldi", "%APPDATA%\\"Vivaldi\\User Data" "QIP Surf", "%APPDATA%\\QIP Surf\\User Data" "Coowon", "%APPDATA%\\Coowon\\Coowon\\User Data"

T1555.005 - Password Managers

Aside from stealing browser secrets, it also attempts to steal passwords from commonly used applications like OpenVpn, FileZilla and Mailbird. It accomplishes this by reading registry entries, decrypting/decoding or parsing local databases or by reading configuration files. The table below is the list of the targeted applications that are related to this data collection.

OPEN VPN FLASHFXP WINSCP NORDVPN IE EDGE PALE MOON FTP CMDER ICECAT INCREDIMAIL PIA

CYBERFOX POC MAIL POSTBOX OUTLOOK FTP GETTER RimArts MAILBIRD FLOCK BROWSER OPERA QQBROWSER WS_FTP MS CREDENTIALS ManagerMULTI-VNC

THUNDERBIRD UC BROWSERS MYSQL WORKBENCH FALKON APPLE KEYCHAIN WATERFOX JDOWNLOADER DB SMARTFTP TRILLIAN COREFTPCLAWS MAIL

FILEZILLA AEROFOX BLACKHAWK EM CLIENT SEA MONKEY ICE DRAGON PSI DOWNLOADMGR K-MELEON FTP NAVI UBATMAILBIRD

T1056.001 - KeyLogging

This Agent Tesla sample is also capable of installing a Keylogger on the compromised host. It uses the SetWindowsHookEx Windows API to install a hook procedure that monitors low-level keyboard input events. Figure 7 shows the code snippet where it setup the windows hook procedure for keyboard events.

^{Figure 7}

Command And Control - TA0011

T1090.003 - TOR Proxy

Agent Tesla also uses TOR proxy for its HTTP requests. It tries to download a TOR application on a specific TOR website. Figure 8 shows its function that downloads the TOR browser that will be saved as "tor.zip" file in the%appdata% folder.

^{Figure 8}

Collection - TA0009

T1113 - Screen Capture

Figure 9 shows the code snippet of how Agent Tesla software captures the desktop screenshot of the compromised machine and it will be saved in the memory stream and later sent to its C2 server.

^{Figure 9}

Exfiltration - TA0010

T1041 - Exfiltration Over C2 Channel

During analysis of this Agent Tesla sample it was identified to have 3 ways to exfiltrate stolen sensitive information of the compromised host. The exfiltrated data may be either sent via FTP, SMTP and HTTP command and control server. Figure 10 shows the code snippet on how the agent will set up each method to exfiltrate data.

The remote C2 server was down during the analysis of this sample. STRT experimented with its SMTP communication to be able to see how the exfiltrated data looks like on the attacker side. We used a fake SMTP server by rnwood (smtp4dev) to forward all the exfiltrated data of this sample.

Attacker Perspective

Data Exfiltration

Figure 11 shows the email sent by the Agent Tesla to the fake SMTP server containing a .zip file attachment with the filename format "CO_/.zip".

This .zip file contains the collected browser data, which in our case is the cookie.sqlite file.

In addition, it includes the basic system information which is the UserName, ComputerName, OSFullName, CPU and RAM.

^{Figure 11}

Figure 12 shows the email sent by the Agent Tesla malware related to the desktop screenshots of the compromised machine. We can see that it has same format email body that contain system information, except that the format of the desktop screenshot .jpeg file is "SC_/.jpeg"

^{Figure 12}

Lastly Figure 13.1 (notepad++) and 13.2 (firefox) shows the email sent by this sample during our testing related to its keylogging feature. This malware checks if the log.tmp (keylog file) in %temp% exists; if not, it will directly send the keystroke that keylogs in its C2, in this case via SMTP.

Below shows the couple of keys typed by the user and the process related to that keystroke.

^{Figure 13.1}

^{Figure 13.2}

For this type of exfiltration the subject of the email has a format of "KL_/".

Detections

Below is the table list for detections that the STRT developed to identify possible Agent Tesla behavior and malicious .chm behavior.

Type	Name	Technique ID	Tactic	Description
TTP	Detect Html Help Spawn Child Process	T1218.001	Defense Evasion	The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process.
Anomaly	Excessive Usage Of Taskkill	T1562.001	Defense Evasion	This analytic identifies excessive usage of taskkill.exe application.
TTP	Executables Or Script Creation In Suspicious Path	T1036	Defense Evasion	This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows.
Anomaly	Non Chrome Process Accessing Chrome Default Dir	T1555.003	Credential Access	This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder.
Anomaly	Non Firefox Process Access Firefox Profile Dir	T1555.003	Credential Access	This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder.
TTP	Office Application Drop Executable	T1566.001	Initial Access	This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System.
TTP	Office Application Spawn Rundll32 Process	T1566.001	Initial Access	This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code.
TTP	Office Document Executing Macro Code	T1566.001	Initial Access	this detection was designed to identifies suspicious office documents that using macro code.
Hunting	Powershell Connect To Internet With Hidden Window	T1059	Execution	The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint.
TTP	Scheduled Task Deleted Or Created Via Cmd	T1053.005	Execution, Persistence, Privilege Escalation	The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line.
TTP	Suspicious Process File Path	T1543	Execution, Persistence, Privilege Escalation	The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software.
TTP	Detect Html Help Spawn Child Process	T1218.001	Defense Evasion	The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process.
TTP	Registry Keys Used For Persistence (mod)	T1546.012	Persistence, Privilege Escalation	This search looks for modifications to registry keys that can be used to elevate privileges.
Hunting	Windows Iso Lnk File Creation (mod)	T1566.001	Initial Access	The following analytic identifies the use of a delivered ISO file that has been mounted and the aforementioned lnk or file opened within it.
Hunting	Windows Phishing Recent Iso Exec Registry (mod)	T1566.001	Initial Access	The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system.
TTP	Powershell Loading Dotnet Into Memory Via Reflection (mod)	T1059.001	Execution	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution.
Hunting	Windows File Transfer Protocol In Non Common Process Path(new)	T1071.003	Command and Control	The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.
Anomaly	Windows Mail Protocol In Non Common Process Path (new)	T1071.003	Command and Control	The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.
Anomaly	Windows Multi Hop Proxy Tor Website Query (new)	T1071.003	Command and Control	The following analytic identifies a dns query to a known TOR proxy website.

Automate with SOAR Playbooks

All of the previously listed detections create entries in the risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The community Splunk SOAR playbooks below can also be used in conjunction with some of the previously described analytics:

Playbook	Description
Internal Host SSH Investigate	Investigate an internal *nix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity and network activity. This includes the process list, login history, cron jobs and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.
Internal Host WinRM Investigate	Performs a general investigation on key aspects of a windows device using windows remote management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault.
Delete Detected Files	This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a "more" command on the file in question to extract its contents. We then run a delete on the file in question.

Why Should You Care?

With this article the Splunk Threat Research Team (STRT) enables security analysts, blue teamers and Splunk customers to identify the Agent Tesla tactics, techniques and procedures. By understanding its behaviors, we were able to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond against this type of threats.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we'll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras, Michael Haag, Mauricio Velazco and Lou Stella for their contributions to this post.