Keypoints
- Phishing email delivers an OLE-format Excel file (“Order 45232429.xls”) that exploits CVE-2017-11882/CVE-2018-0802 via crafted equation data to execute shellcode.
- The shellcode downloads an additional .NET payload from hxxp://23[.]95.128.195/3355/chromium.exe, saves it as dasHost.exe, and launches it.
- The downloaded .NET executable is packed/obfuscated (IntelliLock, .NET Reactor) and contains encoded fileless modules in .NET resources: a Loader (“Cassa”) and an encrypted Agent Tesla payload.
- The Loader reconstructs the payload from a disguised Bitmap resource (Bitmap.GetPixel/Color.FromArgb), decrypts and decompresses it, then loads and invokes its EntryPoint in-memory.
- The Agent Tesla payload performs process hollowing to inject and run its core module, and establishes persistence via a scheduled task and registry autorun entries.
- Stolen data includes saved credentials from many apps/browsers, keystrokes (via SetWindowsHookEx), and periodic screenshots; exfiltration is performed over SMTP (mail.daymon.cc:587).
- Fortinet detections and services (AntiSPAM, Web Filtering, AV, CDR) flag the campaign and the download URLs, and identify the exploit and Agent Tesla samples by signature.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The Excel OLE file contains crafted equation data that triggers the EQNEDT32.EXE parser and executes shellcode: [‘the shellcode inside the crafted equation data is secretly executed.’]
- [T1105] Ingress Tool Transfer – Shellcode downloads an additional malware binary from a remote URL and writes it to disk: [‘downloading and executing an additional malware file from the URL “hxxp://23[.]95.128.195/3355/chromium.exe”.’]
- [T1055.012] Process Hollowing – The payload creates a suspended process, allocates remote memory, writes the core module, sets thread context, and resumes execution: [‘create a suspended process of “dasHost.exe.” Next, it allocates memory … WriteProcessMemory() … SetThreadContext() and ResumeThread()’]
- [T1053.005] Scheduled Task/Job – The malware creates a scheduled task via schtasks.exe with an XML file to run a copy of the payload at logon: [‘”C:WindowsSystem32schtasks.exe” /Create /TN “UpdateskCqKCO” /XML “C:UsersBobsAppDataLocalTemptmp68E9.tmp,”‘]
- [T1547.001] Registry Run Keys / Startup Folder – The core module adds an autorun registry entry pointing to a Roaming copy of the executable to persist across reboots: [‘adds an auto-run item in the system registry“C:UsersBobsAppDataRoamingsOFvEsOFvE.exe”’]
- [T1555.002] Credentials from Web Browsers (Credentials from Password Stores) – The malware extracts saved credentials from web browsers, email clients, FTP clients and other applications: [‘It steals saved credentials from specified software installed on the victim’s device, including web browsers, email clients, FTP clients and more.’]
- [T1056.001] Input Capture: Keylogging – The core module sets a low-level keyboard hook via SetWindowsHookEx to log keystrokes and store them locally for exfiltration: [‘Agent Tesla calls the API SetWindowsHookEx() to set a keyboard hook to monitor low-level input events.’]
Indicators of Compromise
- [URL] Download URL used by shellcode – hxxp://23[.]95.128.195/3355/chromium.exe
- [Domain / C2] SMTP exfiltration server and port – mail.daymon.cc:587
- [File name] Malicious attachments and dropped executables – Order 45232429.xls, dasHost.exe (dropped/renamed chromium.exe), and Roaming copies like kCqKCO.exe / OFvEsOFvE.exe
- [SHA-256] Sample hashes – Order_45232429.xls: FDC04DC72884F54A4E553B662F1F186697DAF14EF8A2DC367BC584D904C22638; chromium.exe / dasHost.exe: 36B17C4534E34B6B22728DB194292B504CF492EF8AE91F9DDA7702820EFCFC3A
- [File path / temp] Local artifacts and logs – %Temp%/log.tmp (keylogger log), %TEMP%/dasHost.exe (downloaded), and %AppData%/Roaming.exe (persistence)
The technical chain begins with a phishing email carrying an OLE-format Excel file that contains crafted equation data exploiting the EQNEDT32.EXE memory-corruption vulnerability (CVE-2017-11882 / CVE-2018-0802). When opened, EQNEDT32.EXE parses the malicious equation stream and executes embedded shellcode which self-decrypts, calls URLDownloadToFileW() to fetch a second-stage .NET executable from hxxp://23[.]95.128.195/3355/chromium.exe, saves it as dasHost.exe in %TEMP%, and launches it.
The downloaded .NET droplet is packed and heavily obfuscated (IntelliLock, .NET Reactor) and contains two encoded fileless modules in its resources: a Loader assembly (identified as “Cassa”) and an encrypted payload module. The Loader reconstructs the payload by reading a disguised bitmap resource via Bitmap.GetPixel() / Color.FromArgb(), then decrypts, gzip-decompresses, and loads the payload into the AppDomain, invoking its EntryPoint in-memory to avoid writing the core to disk.
The active Agent Tesla payload performs process hollowing: it creates a suspended process (dasHost.exe), allocates remote memory (VirtualAllocEx), writes the decrypted core module (WriteProcessMemory), sets thread context, and resumes execution so the core runs inside the hollowed process. It establishes persistence by creating a scheduled task via schtasks.exe (XML-based task pointing to a Roaming copy) and by adding a registry autorun entry. The core harvests saved credentials from multiple browsers and clients, installs a low-level keyboard hook via SetWindowsHookEx() to capture keystrokes into %Temp%/log.tmp, periodically captures screenshots (CopyFromScreen → JPEG in memory), and exfiltrates credentials, keylogs, and screenshots via SMTP to mail.daymon.cc:587 with distinct subject prefixes (PW_/KL_/SC_).
Read more: https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document