AhnLab Security Emergency response Center (ASEC) has been uploading a summary of weekly malware statistics every week.
This post will cover how EDR is used to detect, track, and respond to AgentTesla, an Infostealer continuously being distributed among the malware mentioned in the post above.
AgentTesla is an Infostealer that steals user credentials saved in web browsers, emails, and FTP clients. AhnLab’s EDR products detect certain types of PE files accessing user account credential files and categorize this behavior as a threat.
AgentTesla’s behaviors can be tracked by viewing the diagram in the detailed information on an account credential theft behavior detection log.
Figure 3 shows that AgentTesla copies files to the %appdata% directory and registers them as files for exception to prevent them from being detected by Windows Defender. The diagram also shows that they are registered to the Task Scheduler to be executed continuously.
Afterward, it goes through recursive execution to steal user account credentials and other information saved to web browsers and sends the collected data over an SMTP port to the threat actor’s IP.
By taking measures such as removing auto-execution registration entries, deleting the created files, and adding a user-defined rule policy on affected PCs with the information above, internal propagation can be effectively prevented.
First, a user-defined rule must be created using the information procured above by following this path: EPP -> Policy -> EDR User-Defined Rules -> Add -> Add New tab.
The rule name must be easy to identify, and as this behavior is created with the information collected from malicious file samples, its severity must be set to High. Set the detection name and diagnostic message to be displayed in the threat entry and select Behavior-based rule.
Afterward, set 22.214.171.124:587, the IP detected in Figure 4, as a dynamic network condition. Dynamic network connection conditions occur very frequently in normal processes, and using these without static conditions may cause performance issues, thus it is recommended to also add a static condition.
When this is saved, a rule that detects any connections made to AgentTesla’s C2 is created. To apply this rule to agents, a new EDR user-defined rule policy must be added.
User-defined rule policies can be added by following this route: EPP -> Policy -> Security Product Policy -> Add -> EDR Policy -> EDR User-defined Rule Policy.
Use the Add button on the Add User-defined Rule Policy screen to add the behavior-based rule created in Figure 7 above.
When added, click Disable under Automatic Response to set automatic response processes for when the rule conditions are met.
Apply this newly created policy to enable automatic blocking and responses when a connection to the same C2 is made from another PC.
As seen above, EDR products can be used to track malware and respond to these threats to prevent further propagation.
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.