Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Agent Tesla. Show all posts

Hackers Deploy Agent Tesla Malware via Quantum Builder

A campaign promoting the long-standing.NET keylogger and remote access trojan (RAT) known as Agent Tesla uses a program that is available on the dark web that enables attackers to create harmful shortcuts for distributing malware. 

In the campaign that the experts observed, malicious hackers were using the developer to generate malicious LNK, HTA, and PowerShell payloads used to produce Agent Tesla on the targeted servers. The Quantum Builder also enables the creation of malicious HTA, ISO, and PowerShell payloads which are used to drop the next-stage malware. 

When compared to previous attacks, experts have found that this campaign has improved and shifted toward LNK, and Windows shortcut files. 

A spear-phishing email with a GZIP archive is swapped out for a ZIP file in a second round of the infection sequence, which also uses other obfuscation techniques to mask the harmful behavior. 

The shortcut to run PowerShell code that launches a remote HTML application (HTA) using MSHTA is the first step in the multi-stage attack chain. In turn, the HTA file decrypts and runs a different PowerShell loader script, which serves as a downloader for the Agent Tesla malware and runs it with administrative rights. 

Quantum Builder, which can be bought on the dark web for €189 a month, has recently witnessed an increase in its use, with threat actors utilizing it to disseminate various malware, including RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT. 

Malicious hackers often change their tactics and use spyware creators bought and sold on the black market for crimes. This Agent Tesla effort is the most recent in a series of assaults in which harmful payloads were created using Quantum Builder in cyber campaigns against numerous companies. 

It features advanced evasion strategies, and the developers frequently upgrade these techniques. To keep its clients safe, the Zscaler ThreatLabz team would continue to track these cyberattacks. 

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. 

In a recent attack, OriginLogger, a malware that was hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42.



Analysis on Agent Tesla's Successor

OriginLogger, a malware that has been hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. Typically, attackers send it as an attachment in harmful spam emails.

Since Agent Tesla and OriginLogger are both commercialized keyloggers, it should not be assumed that one has a distinct advantage over the other in terms of initial droppers. 

Security company Sophos revealed two new versions of the common virus in February 2021, with the ability to steal login information from online browsers, email clients, and VPN clients as well as use the Telegram API for command and control.

According to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla version 3 is OriginLogger, which is alleged to have emerged to fill the gap left by the former after its operators shut down the business.

A YouTube video explaining its features served as the foundation for the cybersecurity company's study, which resulted in the detection of a malware sample "OriginLogger.exe" that was added to the VirusTotal malware archive on May 17, 2022.

The binary is a developer code that enables a purchased client to specify the kind of data to be acquired, including screenshots, the clipboard, and the list of services and programs from which the keys are to be retrieved.

Unlike the IP addresses linked to originpro[.]me, 74.118.138[.]76 resolves to 0xfd3[.]com rather than any OriginLogger domains directly. Turning to this domain reveals that it has MX and TXT entries for mail. originlogger[.]com in the DNS.

Around March 7, 2022, the disputed domain started to resolve to IP 23.106.223[.]47, one octet higher than the IP used for originpro[.]me, which used 46. 

OrionLogger uses both Google Chrome and Microsoft Outlook, both of which were utilized by Unit 42 to locate a GitHub profile with the username 0xfd3 that had two source code repositories for obtaining credentials from those two applications.

Similar to Agent Tesla, OrionLogger is distributed via a fake Word file that, when viewed, is utilized to portray an image of a German passport, a credit card, and several Excel Worksheets that are embedded in it.

The files essentially include a VBA macro that uses MSHTA to call a remote server's HTML page, which contains obfuscated JavaScript code that allows it to access two encoded binaries stored on Bitbucket.

Advertisements from threat actors claim that the malware employs time-tested techniques and can keylog, steal credentials, and screenshots, download additional payloads, post your data in a variety of ways, and try to escape detection.

A corpus analysis of over 1,900 samples reveals that using 181 different bots and SMTP, FTP, web uploads to the OrionLogger panel, and Telegram are the most popular exfiltration methods for returning data to the attacker. The goal of this investigation was to automate and retrieve keylogger configuration-related information.





INTERPOL Arrests Three Nigerians in Relation with a Global Scam 

 

Three Nigerian men were arrested and convicted as a result of an Interpol-led operation code-named Killer Bee. They were accused of using a remote access trojan (RAT) to reroute bank transactions and steal business credentials. Two possible accomplices were also apprehended. 

The trio, aged 31 to 38, was apprehended as part of an 11-country sting operation involving law enforcement agencies from Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, the Philippines, Singapore, Thailand, and Vietnam. 

Agent Tesla is a prominent "malware-as-a-service" Remote Access Trojan (RAT) tool used by malicious attackers to collect information like credentials, keystrokes, and clipboard data from the victims. It was initially identified in late 2014. 

Due to Agent Tesla's stability, flexibility, and functionality, which allows for the sampling of sensitive data and exfiltration from the victim, it is used by both cybercriminal groups and actors involved in espionage operations. 

While the authorities did not say how much money the hackers allegedly took, the companies targeted included oil and gas enterprises in Southeast Asia, the Middle East, and North Africa. As per INTERPOL arrested three Nigerians in relation with a global scam The other two men are still facing charges. As per Interpol, one of the scammers, Hendrix Omorume, was prosecuted and convicted of three counts of significant financial fraud and now risks a sentence of 12 months in prison. The other two men are still facing charges.

Interpol and the Nigerian Police Force, with the help of various cybersecurity firms (Group-IB, Palo Alto Networks Unit 42, and Trend Micro), identified a 37-year-old Nigerian man as one of the SilverTerrier cybercrime group's commanders last week.

"Cybercrime is growing at a rapid pace, with new trends continuously appearing," stated Abdulkarim Chukkol, Director of Operations at the EFCC. INTERPOL and the EFCC collaborate on operations like Killer Bee to keep up with emerging technologies, understand the opportunities they provide for criminals, and how they may be used to combat cybercrime.

XAMPP Hosts are Employed to Distribute Agent Tesla

 

RiskIQ's research team has evaluated the familiar fingerprints campaign in dangerous infrastructure from famous malware families. Their examination of Agent Tesla infrastructure leads them to discover the employment of web solution stack installations for XAMPP Web Server. They examine these identified campaigns using their Internet Intelligence Graph. 

The most recent investigation depicts a new insight into the ecosystem of Agent Tesla, the TTP its operatives utilize, and how RiskIQ users potentially can use the XAMPP web component to identify hosts that transmit malware and investigate other possibly harmful infrastructures. 

XAMPP is an open-source web server solution stack package produced by Apache Friends, composed primarily of Apache HTTP Server, MariaDB database, and script interpreters created in the PHP and Perl programming languages. XAMPP is a free server solution stack. As the majority of current web server operations employ the same components as XAMPP, it makes it feasible to move from a local test server to a live server. 

Neither the XAMPP is malevolent nor the hosts employing XAMPPA are always hostile. Everything which makes XAMPP useful for developers also provides an excellent tool for actors who threaten them and some malicious sites are using XAMPP to disseminate malware. 

The web component of XAMPP obtained by the Internet Intelligence Graph of RiskIQ demonstrates that there are numerous XAMPP Internet-faced servers despite developing XAMPP without an internet connection. 

For their March 2021 post about, Exploring Agent Tesla infrastructure, researchers first detected the use of XAMPP for malware propagation during the analysis of the Agent Tesla infrastructure. The Agent Tesla infrastructure, with the same MariaDB, Apache, and PHP Web service stack, was then detected – all with open SMBs sometimes with FTP or SMTP services. 

Agent Tesla is indeed a renowned "malware-as-a-service" RAT for stealing passwords, keystrokes, clipboard data as well as other important information. It is typically transmitted through phishing attempts since it initially surfaced around 2014 and was replicated several times. 

They could recognize hosts with this particular web service stack with the XAMPP web component of RiskIQ. Researchers would then detect malicious infrastructure and trends in that infrastructure using these hosts in conjunction with other data sources. 

An IP hosting Agent Tesla and a WBK file, a restorable file by Microsoft Word, are included within one instance. A link to the Hybrid Analysis Report in the related hashes list of the IP is provided for the file which initiates a GET request in a WBK file, and for another file to install a Tesla Agent file with a variety of commands and control (C2) domains. In many other instances, attackers' IPs utilized Agent Tesla, using a malicious XLSX document communicating with the IP to install the Agent Tesla file, which was subsequently renamed. Another IP attacker hosts harmful files and sends phishing emails to implant malware such as SnakeKeylogger or QuasarRAT. 

Evidence indicates that the attacker has installed XAMPP on hosts owned by the provider dynamic DNS[.]org that distributed the Tesla Agent. Other DDNS providers with preinstalled XAMPP stack malware packages have also been identified. 

The researchers state that “While we do not have confirmed malicious activity on this infrastructure, an illegitimate domain mimicking Microsoft Outlook was recently registered on July 23 and has linked to two PHP pages displaying what appears to be XAMPP notifications on settings not yet made.”