Infostealer Being Distributed via Spam Email (AgentTesla) – ASEC BLOG

MITRE Techniques

• [T1059.001] PowerShell – The BAT file decodes data, creates a DLL payload, and loads it into the PowerShell process. “The PowerShell commands decode (gzip, reverse) the data encoded within the BAT file, create a DLL payload, and load it into the PowerShell process.”
• [T1059.003] Windows Command Shell – The BAT file uses cmd.exe to run commands such as xcopy to copy itself. “the BAT file copies itself using the xcopy command when executed.”
• [T1027] Obfuscated/Compressed Files and Information – The BAT script is obfuscated to conceal its actions. “Figure 3 is the obfuscated BAT script file.”
• [T1055.001] DLL Injection – The loaded DLL executes the decoded shellcode within the PowerShell process to run AgentTesla in memory. “The loaded DLL executes the decoded shellcode, which, in turn, runs the AgentTesla malware in the memory.”
• [T1555.003] Credentials from Web Browsers – The final payload steals browser credentials (notably Edge) from multiple data stores. “The feature … is responsible for stealing account credentials from a specific browser (Edge). It collects account credential-related data through various paths…”
• [T1041] Exfiltration Over C2 Channel – Stolen data is transferred to an FTP server controlled by the threat actor. “transfers the collected data to an FTP server controlled by the threat actor.”