AgentTesla is being distributed through malicious VBScript (VBS) attached to emails, with the VBS payload obfuscated and decoded to eventually execute PowerShell and inject AgentTesla into a legitimate process. The campaign shows evolving delivery methods—from CHM help files to VBS attachments—with sample filenames, indicators, and a real-world email exfiltration workflow. #AgentTesla #VBScript #PowerShell #CasPol #AhnLab #ASECBlog
Keypoints
- AgentTesla malware is being distributed via malicious VBScript (VBS) attachments in email messages, with evolving delivery methods.
- The VBS payload contains multiple annotations and dummy codes, and the script is obfuscated to hide its intent.
- The VBS code decodes to reveal a shellcode and a PowerShell command used to run the final payload.
- The PowerShell sequence decodes and executes code that injects AgentTesla into CasPol.exe, a legitimate process, to avoid easy detection.
- AgentTesla acts as an info-stealer, gathering PC information and exfiltrating it via email as a ZIP file.
- Confirmed VBS filenames include doc_10049500220529464169750.pdf.vbs, doc_5246701207754814333490.vbs, and other variations such as LJUR900225565_pdf.vbs and 770140578183.CL.NoticeOfArrival.vbs.
- Observed IOCs include MD5 hashes (e.g., 7fe2ed92d9306c8f0843cbb4a38f88e0) and example email addresses used in the flow ([email protected]; [email protected]).
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The VBS script is delivered as an email attachment, with impersonation of Korean corporations observed in some emails. “The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified.”
- [T1059.005] Visual Basic – The distribution and execution are conducted via a VBScript (VBS) payload.
- [T1027] Obfuscated/Compressed Files and Information – The script file contains multiple codes obfuscated multiple times. “The script file has multiple codes that have been obfuscated multiple times.”
- [T1059.001] PowerShell – The decoded code includes a PowerShell command; the command is executed and obfuscated as shown. “The ‘O9’ variable contains a PowerShell command… and the executed command is obfuscated as shown below.”
- [T1055] Process Injection – The final shellcode injects AgentTesla into CasPol.exe, a normal process. “The executed shellcode injects the AgentTesla malware into CasPol.exe, a normal process.”
- [T1005] Data from Local System – AgentTesla collects PC information and compresses it for exfiltration. “AgentTesla is an info-stealer that collects user PC information, compresses it into CO_[username]/[PC name].zip and leaks it via email.”
- [T1041] Exfiltration Over C2 Channel – Data is leaked via email as part of the exfiltration workflow. “leaks it via email.”
Indicators of Compromise
- [File Hash] MD5 hashes observed for the VBS payloads – 7fe2ed92d9306c8f0843cbb4a38f88e0, b06081daa9bc002cd750efb65e1e932e
- [Email Address] Sample send/receive addresses used in the flow – [email protected], [email protected]
- [File Name] Confirmed VBS dropper filenames – doc_10049500220529464169750.pdf.vbs, doc_5246701207754814333490.vbs
- [Registry Key] Registry value used during execution – HKCUSoftwareBasilicae17Vegetates
- [Process] Target process for injection – CasPol.exe
Read more: https://asec.ahnlab.com/en/40890/