Threat Research

Fake Purchase Order Used to Deliver Agent Tesla | FortiGuard Labs 

Securonix

FortiGuard Labs uncovered a phishing operation masquerading as a purchase order to a Ukrainian manufacturer, delivering Agent Tesla via a PPAM PowerPoint add-in. The campaign uses a multi-stage dropper with Bit.ly and MediaFire stages, ends with PowerShell-based execution, and deploys Agent Tesla with persistence and data-stealing capabilities. hashtags: #AgentTesla #FortiGuardLabs

Keypoints

  • The phishing email imitates an urgent purchase-order notification and includes a PowerPoint PPAM attachment that contains a malicious macro dropper.
  • The attachment order001.ppam activates a multi-stage dropper that fetches the next payload via a Bit.ly URL and redirects to a MediaFire hosting page.
  • Phase 2 distributes multiple files over several days; the campaign uses HTM/Pow-erShell code to execute the final payload.
  • The final payload delivers Agent Tesla, a keylogger/RAT, with in-memory execution and persistence via registry entries and scheduled tasks.
  • Agent Tesla is injected into a running process (aspnet_compiler.exe) and then communicates with its C2 server over web protocols while exfiltrating keystrokes and other data.
  • Fortinet protections block the malicious attachment and the involved domain warongsoto.com; several IOCs include numerous SHA-256 hashes, Bitly/MediaFire URLs, and a dedicated IP address.
  • The campaign demonstrates evolving evasion, multi-stage delivery, and in-memory execution to evade defenses.

MITRE Techniques

  • [T1608.001] Stage Capabilities: Upload Malware – The campaign includes a stage where malware is uploaded as part of resource development. “Stage Capabilities: Upload Malware”
  • [T1566.001] Phishing: Spearphishing Attachment – The phishing email attached a PPAM file that contains a malicious macro. “attached to the e-mail is the file ‘order001.ppam’.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – The final stages rely on PowerShell-based execution. “PowerShell” and related hex-encoded instructions run in memory.
  • [T1204.002] User Execution: Malicious File – Opening the PPAM attachment activates the macro dropper. “opening the PPAM attachment to activate the macro contained within.”
  • [T1547.001] Boot or Logon Autostart: Registry Run Keys / Startup Folder – Persistence via registry keys is described. “new registry keys will be added to assist with persistence.”
  • [T1055.002] Process Injection: Portable Executable Injection – Agent Tesla is injected into the aspnet_compiler.exe process. “inject Agent Tesla into the aspnet_compiler.exe application.”
  • [T1620] Reflective Code Loading – Code is loaded and executed in memory via decoded/expanded data. “will run in memory.”
  • [T1555.003] Credentials from Web Browsers – The MITRE mapping includes credential access from browsers. “Credentials from Web Browsers”
  • [T1056.001] Input Capture: Keylogging – Agent Tesla captures keystrokes/clipboard data. “Input Capture: Keylogging”
  • [T1087] Account Discovery – Discovery activities mapped under Account Discovery, though explicit narrative is not detailed in the article. “Account Discovery”
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications use web-based protocols. “Application Layer Protocol: Web Protocols”

Indicators of Compromise

  • [SHA256] DLL/PS1 hashes – 27C7F5F2A21298C66A8EEF11DF73BFB1E9EEF7B84974CEF9AF695A7E216EFA21, F86FDC385BA4467FD27093DFB6A642C705199AC3307D24096D7150FB6A80E8FD
  • [SHA256] Fileless Tesla hashes – F69B85F5763CEC5A5DA5CE1152038FFEEF7A2A75600003ADBFEB3DC87502C8A8, B409FF4CD1B8F18E80AFA98B3306440391FB5CBE294E6DA14E8146F63ECA2C6C
  • [Filename] Order001.ppam – DCA3AC723A130E56FB158C34C68E1C4B7D8577D0DBE9D8B859BFFF7ADA34D02E
  • [Filename] Loader – 4C0E2CB721585C480169B3804E17E2761BC5FE76584CF1375FCCDB33CA64D5A5
  • [IP] 192.154.226.47 – Origin IP associated with the phishing infrastructure
  • [URL] hxxps://www.mediafire.com/file/otza6n31talvvle/19.dll
  • [URL] hxxps://www.mediafire.com/file/dsgxrjtpbyyzm7u/2.dll
  • [URL] hxxps://www.mediafire.com/file/otza6n31talvvle/19.dll (15–25.dll variants listed in the campaign)
  • [Domain] warongsoto.com – Parked/blocked domain used in the campaign

Read more: https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla