AhnLab Security Emergency response Center (ASEC) spotted the AgentTesla Infostealer being distributed through an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC. This blog post will provide an explanation of the distribution process, from the spam email to the final binary (AgentTesla), along with related techniques.
Figure 1 shows the body of the spam email distributing the AgentTesla malware. It deceives recipients by mentioning in the subject line that the email was sent from an alternative email account and then encourages them to execute the malicious file (.BAT). As shown in Figure 2, the attached zip (compressed) file contains a batch script file (.BAT). The BAT file is a type of script file that is run by the Windows application cmd.exe when executed.
Figure 3 is the obfuscated BAT script file. As shown in the EDR detection screen in Figure 4, the BAT file copies itself using the xcopy command when executed. Additionally, it disguises a normal powershell.exe with a png extension and copies it.
Afterward, it executes PowerShell commands through powershell.exe (Lynfe.png) which has been disguised with a png extension. As depicted in Figure 5, the EDR detection screen displays the PowerShell process name as a process with the png extension (Lynfe.png), and it is this process that executes the PowerShell commands.
Figure 6 is the decoded PowerShell commands. The PowerShell commands decode (gzip, reverse) the data encoded within the BAT file, create a DLL payload, and load it into the PowerShell process. As shown in Figure 7, the loaded DLL executes the decoded shellcode, which, in turn, performs additional decoding routines and ultimately runs the AgentTesla malware in the memory.
Figure 8 shows the feature of the AgentTesla malware, which is ultimately executed by the PowerShell process (Lynfe.png). This feature is responsible for stealing account credentials from a specific browser (Edge). It collects account credential-related data through various paths in this manner, and Table 1 provides a glimpse of the collection paths for the stolen information.
A Portion of Collection Paths for Account Credential-related Data
“Elements Browser\User Data”
“Opera Software\Opera Stable”
“QIP Surf\User Data”
“Epic Privacy Browser\User Data”
“\Moonchild Productions\Pale Moon\”
Table 1. A portion of collection paths for account credential-related data
In Figure 9, which is the EDR detection screen for infostealing behavior, you can see that the PowerShell process disguised as a png file accessed the account credential within a browser.
After stealing information, AgentTesla, which is running within the PowerShell process (Lynfe.png), transfers the collected data to an FTP server controlled by the threat actor, as depicted in Figure 10.
Using EDR’s evidence data, we explained the infection flow of AgentTesla Infostealer that is being distributed through spam emails. The threat actor employed a sophisticated fileless technique that does not create an EXE file and cunningly disguised the distribution email by writing in the subject line that the email had been sent from an alternative email account. It is essential to exercise caution when opening attachments and ensure that there is no extension present that is capable of executing malware. Additionally, continuous monitoring using security products is crucial for detecting and controlling unauthorized access from threat actors.
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.