Jump to content

Phishing campaign uses PowerPoint macros to drop Agent Tesla

David H. Lipman

Recommended Posts

Phishing campaign uses PowerPoint macros to drop Agent Tesla


A new variant of the Agent Tesla malware has been spotted in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.

Agent Tesla is a .Net-based info-stealer that has been circulating the internet for many years but remains a threat in the hands of phishing actors.

In June 2021, we reported about the active distribution of Agent Tesla in DHL-themed phishing campaigns that relied on the atypical WIM file attachment.

In the most recent campaign, researchers at Fortinet explain that threat actors are targeting Korean users with emails that allegedly contain "order" details.

Sample email spotted in recent Korea-targeting campaignSample email spotted in recent Korea-targeting campaign
Source: Fortinet

Because the attachment is a PowerPoint file, the chances of convincing the recipients they need to "enable content" on Microsoft Office to view it properly increase.

From VBA code to PowerShell

If opened, the file doesn't present any slides but instead launches an auto-run VBA function that calls for the execution of a remote HTML resource at a remote site.

After the escaped VBScript code is executed, the actor can use a range of scripts, including PowerShell, to stealthily deliver Agent Tesla.

Executing HTML on an remote resourceExecuting HTML on an remote resource
Source: Fortinet

Fortinet has spotted the following scripts and their role:

  • VBScript-embedded-in-HTML – upgrades the malware every two hours (if available) by adding a command-line command into Task Scheduler.
  • Standalone VBS file – downloads a new base64-encoded VBS file and adds it into the Startup folder for persistence.
  • Second standalone VBS – downloads Agent Tesla and crafts PowerShell code.
  • PowerShell code – executes to call a new function "ClassLibrary3.Class1.Run()" that performs process-hollowing, passing the Agent Tesla payload in memory.

The malware is injected into the legitimate Microsoft .NET RegAsm.exe executable via four Windows API functions. By injecting the file into RegAsm.exe, Agent Tesla can operate in the infected system file-less, so the chances of being detected drop significantly.

Agent Tesla payload deployed in a processAgent Tesla payload deployed in a process
Source: Fortinet

Targeting a range of products

Agent Tesla features a keylogger, a browser cookie and saved credentials stealer, a Clipboard data sniffer, and even a screenshot tool.

The attacker can choose which features to enable during the payload compilation, thus choosing between a balance of power and stealthiness.

In total, Agent Tesla can snatch data from over 70 applications, with the most popular ones listed below.

Chromium-based Web Browsers:
Epic Privacy, Uran, Chedot, Comodo Dragon, Chromium, Orbitum, Cool Novo, Sputnik, Coowon, Brave, Liebao Browser, Elements Browser, Sleipnir 6, Vivaldi, 360 Browser, Torch Browser, Yandex Browser, QIP Surf, Amigo, Kometa, Citrio, Opera Browser, CentBrowser, 7Star, Coccoc, and Iridium Browser

Web Browsers:
Chrome, Microsoft Edge, Firefox, Safari, IceCat, Waterfox, Tencent QQBrowser, Flock Browser, SeaMonkey, IceDragon, Falkon, UCBrowser, Cyberfox, K-Meleon, PaleMoon

VPN clients:
OpenVPN, NordVPN, RealVNC, TightVNC, UltraVNC, Private Internet Access VPN

FTP clients:
FileZilla, Cftp, WS_FTP, FTP Navigator, FlashFXP, SmartFTP, WinSCP 2, CoreFTP, FTPGetter

Email clients:
Outlook, Postbox, Thunderbird, Mailbird, eM Client, Claws-mail, Opera Mail, Foxmail, Qualcomm Eudora, IncrediMail, Pocomail, Becky! Internet Mail, The Bat!

Downloader/IM clients:
DownloadManager, jDownloader, Psi+, Trillian

MySQL and Microsoft Credentials

When it comes to exfiltrating the collected data, the malware offers four ways to do it, namely HTTP Post, FTP upload, SMTP, and Telegram.

Each packet sent carries a number that signifies its type, and there are seven kinds of packets as detailed below:

  • Packet "0": It is always the first packet to tell the attacker that Agent Tesla has started. It only contains the "header" data.
  • Packet "1": It is sent once every 120 seconds. It is like a heartbeat to tell the attacker that Agent Tesla is alive. It only contains the "header" data.
  • Packet "2": It is sent every 60 seconds and only contains the "header" data. Agent Tesla reads the response and checks if it contains "uninstall". If yes, it uninstalls Agent Tesla from the victim's system, including deleting all files made by Agent Tesla and removing keys from registry that Agent Tesla created, and exits the process.
  • Packet "3": It sends the victim's keystrokes (keylogger data) and stolen clipboard data within the "data" part of the post.
  • Packet "4": It sends captured screenshots of the victim's screen within the "data" part of the post.
  • Packet "5": It sends the credentials stolen from the software clients within the "data" part of the post.
  • Packet "6": It sends cookies files in a ZIP archive that are collected from browsers and included within the "data" part of the post.
Packets exfiltrated by Agent TeslaPackets exfiltrated by Agent Tesla
Source: Fortinet

How to protect yourself

Agent Tesla infections are very severe, but you can easily avoid them if unsolicited emails are deleted immediately upon reception.

PowerPoint documents should be treated with extreme caution, as VBA macros can be as dangerous as their Excel counterparts.

In summary, keep your Internet security shields up, your software up to date, your Microsoft Office macros disabled, and your curiosity in check.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.