Are Agent Telsa malware procedures mitigated on this host?

This TTP downloads an executable that mimics Agent Tesla's browser data collecting. The TTP also simulates wifi information parsing and theft followed by compressing information in a zip file ready for exfiltration.

Are Agent Telsa malware procedures mitigated on this host?

Agent Tesla was listed in CISA's "2021 Top Malware Strains" advisory and has been active since 2014. Agent Tesla is classified as a remote access trojan (RAT) and is capable of stealing data from mail clients, web browsers, and FTP servers. Like other RATs listed in CISA's top malware list, Agent Tesla has the capabilities to capture screenshots, videos, and clipboard data. This malware is the second most common info stealer behind the Formbook malware. Agent Telsa is available online for purchase and marketed as legitimate software. This malware is written using .NET and has a customizable interface that allows non-technically savvy users to configure options easily. The latest version of Agent Tesla in the wild is version 3. The primary delivery method for Agent Tesla is via malicious attachments in large malspam campaigns.

At a high level, some of Agent Tesla's capabilities are:

  • Initial access - Usually delivered in phishing emails as a malicious attachment.
  • Execution - Malicious Office files are executed to initiate the next stage or run the payload. Malicious Compiled HTML Help files have also been observed. Some samples exploited CVE-2017-11882.
  • Persistence - Modifications to Registry Run Keys or the Startup folder, along with scheduled task creation.
  • Privilege Escalation - Process injection may be performed for privilege escalation. Similar techniques used for Persistence cross over to Privilege Escalation.
  • Defense Evasion - Performing process injection techniques are utilized. Obfuscated files are also utilized to attempt to bypass detections. Adding the binary to Windows Defender exclusion path is a known technique for this malware.
  • Credential Access - Gather credentials from password stores, such as FTP clients and wireless profiles, and various web browsers.
  • Collection - Numerous activities to collect personal information and credentials from the victim: keylogging, clipboard data, screen capture, and video capture.
  • Command and Control - Depending on the version of the malware, mail and/or web protocols may be utilized. Newer versions of this malware, such as version 3, may use TOR.
    This TTP was designed to emulate Agent Tesla's credential access capabilities.

Testing

Execute `Are Agent Telsa malware procedures mitigated on this host?` in Operator on each host in your environment to test if you are vulnerable.

This TTP will create a directory in `$env:TEMP` named `subfolder`. The TTP will copy a binary named `filename.exe` to this location to emulate the dropper. Next, it will attempt to execute Netsh to export all Windows Wifi profiles (SSID and password) by running the following command: `netsh wlan export profile key=clear`. The contents of the XML file created by the Netsh command will be parsed to extract the Wifi SSIDs and passwords to a text file named `wifipass.txt`. Filename.exe is built from the opensource security tool `HackBrowserData` which extracts browser data and decrypts credentials. It does this by parsing different known databases and attempting to export keys associated with those browsers. After executing `filename.exe` the binary is then deleted. All the newly created files are then zipped into a zip file called `exfil.zip` and the files are then deleted. The TTP will perform a conditional check to verify the creation of the zip file. Finally, the TTP will delete any remaining artifacts.

Remediation

CISA lists ‘Immediate Actions You Can Take Now to Protect Against Malware’. One of the actions listed is to provide end-user awareness and training about social engineering and phishing. This is important since the vector for initial access is via phishing. Ensure the host machine has up-to-date signatures and logs any access to `netsh`.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VV_X_7

Bart: https://twitter.com/bartimusprimed

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Are Agent Tesla procedures mitigated on this host?