fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Phishing Campaign Uses PowerPoint Macros to Drop Agent Tesla

Phishing Campaign Uses PowerPoint Macros to Drop Agent Tesla

A new variant of the Agent Tesla malware has been spotted in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.

Agent Tesla is a .Net-based info-stealer that has been circulating the internet for many years but remains a threat in the hands of phishing actors.

In June 2021, we reported about the active distribution of Agent Tesla in DHL-themed phishing campaigns that relied on the atypical WIM file attachment.

In the most recent campaign, researchers at Fortinet explain that threat actors are targeting Korean users with emails that allegedly contain “order” details.

Also Read: Top 8 Main PDPA Obligations To Boost And Secure Your Business

Sample email spotted in recent Korea-targeting campaign
Sample email spotted in recent Korea-targeting campaign
Source: Fortinet

Because the attachment is a PowerPoint file, the chances of convincing the recipients they need to “enable content” on Microsoft Office to view it properly increase.

From VBA code to PowerShell

If opened, the file doesn’t present any slides but instead launches an auto-run VBA function that calls for the execution of a remote HTML resource at a remote site.

After the escaped VBScript code is executed, the actor can use a range of scripts, including PowerShell, to stealthily deliver Agent Tesla.

Executing HTML on an remote resource
Executing HTML on an remote resource
Source: Fortinet

Fortinet has spotted the following scripts and their role:

  • VBScript-embedded-in-HTML – upgrades the malware every two hours (if available) by adding a command-line command into Task Scheduler.
  • Standalone VBS file – downloads a new base64-encoded VBS file and adds it into the Startup folder for persistence.
  • Second standalone VBS – downloads Agent Tesla and crafts PowerShell code.
  • PowerShell code – executes to call a new function “ClassLibrary3.Class1.Run()” that performs process-hollowing, passing the Agent Tesla payload in memory.

The malware is injected into the legitimate Microsoft .NET RegAsm.exe executable via four Windows API functions. By injecting the file into RegAsm.exe, Agent Tesla can operate in the infected system file-less, so the chances of being detected drop significantly.

Also Read: 5 Tips In Using Assessment Tools To A Successful Businesses

Agent Tesla payload deployed in a process
Agent Tesla payload deployed in a process
Source: Fortinet

Targeting a range of products

Agent Tesla features a keylogger, a browser cookie and saved credentials stealer, a Clipboard data sniffer, and even a screenshot tool.

The attacker can choose which features to enable during the payload compilation, thus choosing between a balance of power and stealthiness.

In total, Agent Tesla can snatch data from over 70 applications, with the most popular ones listed below.

Chromium-based Web Browsers:
Epic Privacy, Uran, Chedot, Comodo Dragon, Chromium, Orbitum, Cool Novo, Sputnik, Coowon, Brave, Liebao Browser, Elements Browser, Sleipnir 6, Vivaldi, 360 Browser, Torch Browser, Yandex Browser, QIP Surf, Amigo, Kometa, Citrio, Opera Browser, CentBrowser, 7Star, Coccoc, and Iridium Browser

Web Browsers:
Chrome, Microsoft Edge, Firefox, Safari, IceCat, Waterfox, Tencent QQBrowser, Flock Browser, SeaMonkey, IceDragon, Falkon, UCBrowser, Cyberfox, K-Meleon, PaleMoon

VPN clients:
OpenVPN, NordVPN, RealVNC, TightVNC, UltraVNC, Private Internet Access VPN

FTP clients:
FileZilla, Cftp, WS_FTP, FTP Navigator, FlashFXP, SmartFTP, WinSCP 2, CoreFTP, FTPGetter

Email clients:
Outlook, Postbox, Thunderbird, Mailbird, eM Client, Claws-mail, Opera Mail, Foxmail, Qualcomm Eudora, IncrediMail, Pocomail, Becky! Internet Mail, The Bat!

Downloader/IM clients:
DownloadManager, jDownloader, Psi+, Trillian

Others:
MySQL and Microsoft Credentials

When it comes to exfiltrating the collected data, the malware offers four ways to do it, namely HTTP Post, FTP upload, SMTP, and Telegram.

Each packet sent carries a number that signifies its type, and there are seven kinds of packets as detailed below:

  • Packet “0”: It is always the first packet to tell the attacker that Agent Tesla has started. It only contains the “header” data.
  • Packet “1”: It is sent once every 120 seconds. It is like a heartbeat to tell the attacker that Agent Tesla is alive. It only contains the “header” data.
  • Packet “2”: It is sent every 60 seconds and only contains the “header” data. Agent Tesla reads the response and checks if it contains “uninstall”. If yes, it uninstalls Agent Tesla from the victim’s system, including deleting all files made by Agent Tesla and removing keys from registry that Agent Tesla created, and exits the process.
  • Packet “3”: It sends the victim’s keystrokes (keylogger data) and stolen clipboard data within the “data” part of the post.
  • Packet “4”: It sends captured screenshots of the victim’s screen within the “data” part of the post.
  • Packet “5”: It sends the credentials stolen from the software clients within the “data” part of the post.
  • Packet “6”: It sends cookies files in a ZIP archive that are collected from browsers and included within the “data” part of the post.
Packets exfiltrated by Agent Tesla
Packets exfiltrated by Agent Tesla
Source: Fortinet

How to protect yourself

Agent Tesla infections are very severe, but you can easily avoid them if unsolicited emails are deleted immediately upon reception.

PowerPoint documents should be treated with extreme caution, as VBA macros can be as dangerous as their Excel counterparts.

In summary, keep your Internet security shields up, your software up to date, your Microsoft Office macros disabled, and your curiosity in check.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us