For a few days, there are new waves of Agent Tesla landing in our mailboxes. I found one that uses two new “channels” to deliver the trojan. Today, we can potentially receive notifications and files from many types of systems or devices. I found a phishing sample that tries to hide behind a Canon EOS camera notification. Not very well designed but it’s uncommon to see this. It started with a simple email:
Note the beautiful typo in the mail subject! (“Qoute”)
The malicious payload is delivered via the following path:
A ZIP archive is attached to the mail:
Photos and specification.zip (SHA256:0875804511b077f7e8b4d5f4dd11b61f2334b9b61da1018f6246739a348a6d19)
The archive contains an HTML file (Unicode):
photos and specification.html (SHA256:ab6b5faa826f5f503d9b9c8c5de0e3b0d65bf88812a9f7b83bf97901c39d6ebe)
Here is the page rendered in a browser:
The next stage payload is hosted on a public OwnCloud account. OwnCloud is a very popular cloud storage solution. You can run your private cloud on-premises but they also offer a “cloud” solution and a free trial:
A file is shared via this trial account: “Photos and specification.cab” (SHA256:d6404503a8257ebf3d153e91d0b92c9ae8da7c710124781ae27e6a55c40b887f). It contains the final payload:
Photos and specification.exe (SHA256:5254a36f51199786127851940e49c50ffe04aafa091ba6518118125bd68a4c31) with a current VT score of 24/72. This is the Agent Tesla itself.
It copies itself into C:UsersadminAppDataRoaming and implements persistence via a scheduled task:
C:WindowsSystem32schtasks.exe" /Create /TN "UpdatesPHIvtqf" /XML "C:UsersuserAppDataLocalTemptmp6CEB.tmp
The scheduled task configuration is also dumped on disk:
2014-10-25T14:27:44.8929027 SANDBOXuser true SANDBOXuser false SANDBOXuser InteractiveToken LeastPrivilege StopExisting false true false true false true false true true false false false PT0S 7 C:UsersuserAppDataRoamingPHIvtqf.exe
You can detect hosts infected by Agent Tesla by checking connections over TCP/587 (SMTP submissions) which is usually permitted compared to TCP/25. In this case, it used the IP address %%ip:184.108.40.206% to exfiltrate data.
I also found other suspicious OwnCloud accounts:
Probably there are many more…
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.