Full Report
FortiGuard Labs provides a technical breakdown of a multi-stage Agent Tesla campaign, from phishing and encrypted scripts to in-memory execution, process hollowing, and data exfiltration
Analysis Summary
# Tool/Technique: Agent Tesla
## Overview
Agent Tesla is a sophisticated, multi-stage Information Stealer (Infostealer) known for its persistence and ability to harvest sensitive data, including credentials, keylogging information, and system files. This specific campaign utilizes advanced techniques like in-memory execution and process hollowing for evasion.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Microsoft Windows
- Capabilities: Credential harvesting (web session cookies, password stores), keylogging, data collection, SMTP-based exfiltration.
- First Seen: (Not explicitly stated, but noted as a persistent threat)
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment
* **TA0002 - Execution**
* T1059 - Command and Scripting Interpreter
* T1059.001 - PowerShell
* T1059.007 - JavaScript
* **TA0005 - Defense Evasion**
* T1055 - Process Injection
* T1055.012 - Process Hollowing
* T1497 - Virtualization/Sandbox Evasion
* T1497.001 - Virtualization Checks
* **TA0006 - Credential Access**
* T1539 - Data from Web Session Cookie
* T1555.003 - Credentials from Password Stores
* **TA0009 - Collection**
* T1005 - Data from Local System
* **TA0010 - Exfiltration**
* T1048 - Exfiltration Over Alternative Protocol
* T1048.003 - Email Protocol (SMTP)
## Functionality
### Core Capabilities
- Credential harvesting from web browsers and password stores.
- Keylogging capabilities (implied by impact description).
- Data collection from the local system.
- Exfiltration of stolen data via email protocols (SMTP).
### Advanced Features
- **Multi-Stage Delivery:** Utilizes a chain involving phishing emails, RAR archives, JScript loaders, and PowerShell scripts.
- **AES Decryption in Memory:** The intermediate PowerShell script uses a custom Invoke-AESDecryption function (AES-CBC with PKCS7 padding) to decrypt subsequent stages directly into memory, avoiding disk artifacts.
- **Process Hollowing:** Injects and executes the final .NET Agent Tesla payload into a legitimate, suspended Windows process (`Aspnet_compiler.exe`).
- **Anti-Analysis Checks:** Performs system checks against virtualization software (VMware, VirtualBox, Hyper-V) and common security tools/sandboxes (e.g., Avast DLLs, Sandboxie DLLs) to cease execution if tracing is detected.
## Indicators of Compromise
- File Hashes:
- SHA256: `Cc2b26bbcbaa2d0593e15a45734fe3fd940451fc7290d49bc841c496b906a9c1` (PO0172.jse)
- SHA256: `83F9C6A3978D926F2C0155E22008C1BCE6510B321031598509A2937ADD2D5A54` (First encrypted PS1)
- SHA256: `30713C4BFC813848B3EC28EB227D2E439BE0E07C77237498553FD5DFA745F278` (Stage 2 PS1)
- SHA256: `B133D75DE5010C3A5005606A8E682A08C413364A3921DFBDFBFDDE811A866E88` (Agent Tesla)
- File Names: `PO0172.rar`, `PO0172.jse`
- Registry Keys: (Not specified)
- Network Indicators:
- Download URL: `hxxps://files[.]catbox[.]moe/2x0j75[.]ps1`
- C2 Mail Server: `mail[.]taikei-rmc-co[.]biz`
- Behavioral Indicators: Process creation of `Aspnet_compiler.exe` followed by memory region changes indicative of code injection; execution of PowerShell or JScript from unusual parental processes or file locations.
## Associated Threat Actors
(Not explicitly named in the provided context, but Agent Tesla is generally attributed to various threat actors, often those with low initial skill requiring readily available malware kits.)
## Detection Methods
- Signature-based detection: Using SHA256 hashes of the initial stages and final payload.
- Behavioral detection: Monitoring for abnormal DLL loading patterns, memory allocation/write operations within legitimate processes post-suspension (indicative of Process Hollowing), and WMI queries related to virtualization identification.
- YARA rules: (Not specified, but rules could target the specific structure of the in-memory AES decryption routine or the discernible traits of the .NET loader).
## Mitigation Strategies
- **Email Security:** Implement advanced filtering to block suspicious archives (RAR) or obfuscated script files (.jse) in emails, especially those using business lures (e.g., "New purchase order").
- **Endpoint Protection:** Utilize EDR/XDR solutions capable of detecting in-memory fileless execution techniques like process hollowing and monitoring for suspicious memory modification on system processes.
- **Network Monitoring:** Employ security services (like FortiGuard IP Reputation) to proactively block connections to known malicious C2 infrastructure.
- **Content Disarm and Reconstruction (CDR):** Use CDR solutions on documents/attachments to neutralize embedded active code before user interaction.
## Related Tools/Techniques
- **JScript/VBScript Loaders:** Common use of JSE or VBS files to launch initial payloads.
- **PowerShell Empire/Cobalt Strike patterns:** The use of in-memory execution and process injection aligns with post-exploitation frameworks, although Agent Tesla is delivering the final payload here.
- **Injectors:** Tools or scripts designed specifically for Process Hollowing.