Agent Tesla now beats Microsoft Defender Detection

Agent Tesla, a malware as a service tool used by hackers and APT’s (advanced persistent threats) has recently been under some development by the threat actors to avoid Defender for Endpoint detection.

The malware which can be bought on the agent Tesla website has been designed with an arsenal of tactics and techniques which can be configured by whomever decides to purchase it. Some of these techniques include evading detection while others are tweaked for exactly what the threat actor is after.

A new APT group dubbed ‘Silverfish‘ has been identified as a likely group using Agent Tesla to gain a foothold in thousands of companies networks, although has been known to specifically target the government and defence sectors. The group which has been closely linked to the infamous and recent SolarWinds attack has been linked to other well-known and developed trojans such as Trickbot and Dridex.

After some malware analysis it was found that agent Tesla is likely being used by the group for device and network reconnaissance followed by a later lateral movement across the network for a ransomware attack.

Initial Access – Stage 1

The initial access was gained by compromising existing government based websites to host a fake chrome update pop-up. This popup once download installed a fake java-script file which ran in the background unknowingly to the user. The JavaScript based file which had been zipped up ran once a user had opened it up, thinking they were going to update chrome. It was able to run on Windows based devices due to Windows Script Host running the file with its JavaScript interpreter. The JavaScript file which was obfuscated was designed to avoid detection and contained several lines unrelated to the intention of the file, likely placed their to confuse any malware researchers but also to avoid detection. The script called out to a c2c subdomain domain (a0fb7537[.]login[.]wppcrisis[.]com) to download further scripts, it however also called out to 3 other subdomains (crl[.]identrust[.]com, cdn[.]jsdelivr[.]com and r3[.]o[.]lencr[.]org[.]x).

Device Reconnaissance – Stage 2

Once installed the JavaScript launched by wscript.exe and inspected by AMSI(Microsoft’s anti-malware software interface) performed device reconnaissance of the local host. This included, anti-virus installed, machine name, operating system, OS version, user DNS domain, process list, all user accounts, service list, processor architecture, local admin behaviour and prompt on secure desktop. All of the reconnaissance was designed for the attacker to know exactly what malware should be deployed but more importantly the version to run. On top of the actions performed the script also creates a new temporary file as a .dat file type. This file is ran as the user in command prompt using the users compromised password. Once the script has ran it will sleep for 15000 seconds (4.16 hours).

The temp file created is then renamed to ‘18334728.js’. This JavaScript file is once again invoked by the JavaScript interpreter by wscript.exe. The aim of this new JavaScript file is to create a new file in the temp folder called ‘radEFAC9.tmp’, the script also then verifies the file has been created.

Once created a script is then run which yet again calls out to a subdomain under login[.]wwpcrisid[.]com. This script sends all the information collected about the machine and then attempts to download Agent Tesla as the filename ‘radEFAC9.tmp’ however this time under the program data directory folder rather than the temporary folder previously used. This newly generated file is then renamed to ‘uhfsp.dat’.
On this occasion Defender for Endpoint detected and prevented the Agent Tesla download under the file created, however the script was designed to verify the successful download. As the download had failed it then reran the script above and likely downloaded an alternative version of the prominent malware which avoid Defender for Endpoint detection by running in the AMSI. Although this could not be confirmed fully due to obfuscation in the code.

Network Reconnaissance – Stage 3

Once deployed Agent Tesla begins doing the heavy lifting with network reconnaissance, it begins by establishing connection with two c2c domains used for the rest of the attack (locoore[.]com and mcessr[.]com). Once connection is confirmed it begins by returning all domain controllers in the local domain using command prompt. This is then followed by attempted connections over port 445 (SMB) to other servers it believes it’s found.

Agent Tesla then goes on to gather details about any RDP sessions on the local host along with querying all credentials stored on the local device where an attempt is then made to gather token information. The malware continues to gather details of all vulnerable services which could be modified by the infected user account. From here it attempts to update a service DACL and verifies if elevated privileges are required for program installs.

The network reconnaissance continues by querying for all domain and enterprise administrators which if found will then return all active directory details about these accounts.
Furthermore, any accounts that have Kerberos pre-authentication disabled are queried which is likely to be used as part of a later attack method.

The automated malware will also query the domain and search for any other domains which could be in the Active Directory Forrest.

In this case Agent Tesla has also been configured to attempt to run whoami commands on external servers as well as attempting to access their C$ folder. This step is performed in order to identify possible routes for lateral movement across the network for further compromise and persistence.

Previously the local users password was compromised however this action is then performed again and all active directory details are returned for this user as part of the reconnaissance phase.

Persistence – Stage 4

The agent Tesla .dat file created performed an action where it attempts to update a registry key so the .dat file will spawn when a machine is booted up. This is a form of persistence for the malware in the event the machine is powered off.

Lateral Movement – Stage 5

Once the domain and local host reconnaissance is performed a PowerShell function ‘invoke-WMIExec‘ is ran which doesn’t require elevated privileges to run. WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication in order to move laterally over the network.

It is believed the lateral movement was performed to identify and access servers for a later ransomware attack.

Indicators of Compromise (IoCs)

  • login[.]wppcrisis[.]com
  • locoore[.]com
  • mcessr[.]com

Preventing the Attack

In order to prevent a similar attack it is recommend to block the IoCs identified through URL filtering and Firewall technologies across all areas of the networks. It is also recommended to block downloaded JavaScript files from running altogether which would have prevented the initial access.

Querying and identifying all accounts with pre-authentication disabled in Active Directory and ensuring this setting is enabled is also recommended as these accounts are possible accounts that can be used further down the attack chain or for later persistence techniques.

Lastly, deploy and configure an EDR solution which is able to effectively identify not only malicious software running but also suspicious commands executed on a device which will greatly assist in the detection of such a threat. A solid EDR can be coupled with a SOAR platform to automatically triage the alerts and apply automated response actions such as isolating the device and disabling the user account.