Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities

A new iteration of the Agent Tesla keylogger has expanded on its data harvesting capabilities and exfiltration efforts in phishing campaigns primarily targeting India and ISPs. Cofense Intelligence recently alerted customers to Agent Tesla’s high volume compared to other keylogger families from January to August this year. The newest iteration of the keylogger added to that volume, likely as threat actors moved to adopt the updated version.

Threat actors who transition to this version of Agent Tesla gain the capability to target a wider range of stored credentials, including those for web browser, email, VPN and other services. This may indicate an increased interest in stolen credentials for a more specialized segment of the market or a particular kind of product or service. The update also includes networking capabilities that create a more robust set of exfiltration methods, including the use of the Telegram messaging service—adding to an overall trend of abusing trusted platforms to evade network-based detection. For Cofense Intelligence customers, technical details of these and other updates are available in the full report in ThreatHQ.

Figure 1: Top regions targeted by the different versions of Agent Tesla.

Figure 2: Top industries targeted by the different versions of Agent Tesla.

From August to December of this year, the newest iteration of Agent Tesla largely followed the same pattern as the older version in terms of targeted industries and regions. Figure 1 shows that both versions preferred to target email accounts in India more than any other region. The United States and Brazil were also among the top three most targeted regions. Figure 2 shows that Agent Tesla overwhelmingly targeted internet service providers (ISPs) over other industries. Utilities and financial services rounded out the top three targeted industries.

ISPs could be considered a major target for threat actors because of the other industry verticals that rely on them for essential functions. A compromised ISP could give threat actors access to organizations that have integrations and downstream permissions with the ISP. Subscribers would also be at risk, as ISPs often hold emails or other critical personal data that could be used to gain access to other accounts and services. In at least one incident, attackers reportedly targeted subscriber data of a compromised ISP in Austria.

Agent Tesla has been a major force within the phishing-threat landscape for years and has steadily evolved, likely in response to threat actors’ demands and improvements in network defenses. The variety of infection chains that use this keylogger family as its final payload are too numerous to list, which shows the versatility of this particular family. The fact that older versions of Agent Tesla keylogger are still successful today likely indicates that threat actors will be slow to adopt the newest version. However, once threat actors realize the benefits gained from updating to the newest version, they may transition more quickly as the new features might be necessary. Despite the dangerous capabilities of both versions of Agent Tesla, organizations can protect themselves by educating their employees and keeping proper mitigations in place.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Astaroth Uses Facebook and YouTube within Infection Chain

Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection. The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.

This Astaroth Trojan campaign exclusively targeted Brazilians, as also reported in 2018. In one week, it was able to compromise around 8,000 machines. Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads. This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.

The emails analyzed by Cofense Intelligence were in Portuguese and had three distinct themes: an invoice theme, a show ticket theme, and a civil lawsuit theme. Each of the phishing campaigns enticed the end user into downloading and opening a .htm file to start the infection chain. The email security stack would need to be able to scan the attachments for malicious links and/or downloads to stop this technique. Having proper mitigations in place alongside user education on safeguard procedures will also help negate this type of attack, as it is mainly reliant on the end user.

Technical Findings

Once opened, the .htm downloads a .zip archive that is geo-fenced to Brazil and contains a malicious .LNK file. The .LNK file then downloads a JavaScript from a Cloudflare workers domain, shown in Figure 1.

Figure 1: The Cloudflare workers domain used within the infection chain

The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’. Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security mseasures such as Anti-Virus (AV), application white-listing, and URL filtering.

After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources.

Astaroth uses Youtube and Facebook profiles to host and maintain the C2 configuration data. This C2 data is base64 encoded as well as custom encrypted, and bookended by ‘|||’ as shown in Figure 2. The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.

Figure 2: Shows the C2 configurations data hosted on YouTube

Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data on the endpoint. The data gathered includes financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The modules used to collect this data are part of the multiple files downloaded by the JavaScript discussed above. All collected information is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, a majority of which are hosted on Appspot. This encrypted connection to another trusted source allows for the communication to bypass network security measures that cannot decrypt it.

Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures. Understanding these types of threat actor Tactics, Techniques, and Procedures (TTPs) can help finetune the security stack to defend against them. Technology can help empower an end user to help protect against this type of attack, but education will make them confident in doing so.


89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.


Click to Expand a Full List of IOCs

ATR ID: 28320 
































































































































































































































File   MD5 Hash Value 
06  dac44bfad9f76ba6dbdc2e5753b45ace 
09  ba048536df48d7e9dd893a6a03ef2241 
Casa&  19260462563234466f017056f6a206a4 
Casa&  02b9550e9530552f0291e018248616e3 
Casa&  b939510a06297f7df415da4969ad370f 
Convite-16478.doc.htm  1b4ba6193c41c002ca01b79be6b4bf58 
Convite-24434.doc.htm  b958cc34580f88a85ec213710096b3f2 
Convite-28353.doc.htm  fd5a66109a47f6f8e2ddccd18dff90ac 
Convite-Especial_450.lnk  c240f95d98b9a9c7013568bf82f82200  a4c9f257b3e59da8b2fcf0d8cea55c5a 
Convite-Especial_500.lnk  0ef2370581573a7dd04600957e1bf5f1  f71b63d22f4bab20aab0c9393857f665 
Convite-Especial_600.lnk  451dcb3829434c1e2f12bf894a8f2793  68b9e1a6ced7762ceb77f28632f0c462 
daffsyshqy64a.dll  6ddf3a891ea9f3cc96cf04c6a06f8176 
daffsyshqy64b.dll  a8eb5f30af5632b86f61b82d32b39dca 
daffsyshqy64.dll  14ffd7f15426f44f2f6cca63c1f3074b 
daffsyshqya.jpg  57bbfb7dfbd710aaef209bff71b08a32 
daffsyshqyb.jpg  f2cf0bc2a11c62afa0fd80a3e8cd704d 
daffsyshqyc.jpg  1f2204f86817402088d4cb8337bfbccc 
daffsyshqydwwn.gif  d0b486f131c70cf18b1e51651fa3667b 
daffsyshqydx.gif  e1762709a530f79365e53339c3f5a92c 
daffsyshqyg.gif  d2fb935b6a5ca8d61f27198eea7a3ad5 
daffsyshqygx.gif  7443bbbf9b2f02c68573f2788208f9b3 
daffsyshqyxa.~  95b4897223c0220a71f8b7db8d26b96f 
daffsyshqyxb.~  a75137f66c218886d6cd44f6efa703bf 
Departamento_Fiscal.170.lnk  f47531b59187ec87dcac80383fb43a32  8c39a5cbacf24535d83c116eb680cb08 
Departamento_Fiscal.300.lnk  9db1833a686fea058b12bb050ec71d15  3cfdeede42ce9a35009ab8755860ce97 
Departamento_Fiscal.490.lnk  1fda7ca3dca57d1eee0007695af6c36d  7f01a1f829a1c514fcf372a5fed4852b 
Departamento_Fiscal.580.lnk  a9939044af4b9886ed5fc570bef357d7  c0bbbc27ed84ffb2066f4fd53f66fb8f 
Departamento_Fiscal.700.lnk  8d6379a39692ace24ec6232e333733ca  cb67c6e585b5ed0ffa8d6a1da0f50f6d 
FISCAL_ELETRONICA.htm  356f364e63d1cb900f4210497c006592 
FISCAL_ELETRONICA.htm  be34918b1b4f68885f12cfe79d79eaed 
FISCAL_ELETRONICA.htm  1b2fbd4b8e0fc09f18e385f3e99c7c18 
FISCAL_ELETRONICA.htm  8d5ac61b30c704f18131afe16c6a931d 
FISCAL_ELETRONICA.htm  0c8c016e42cde175761ef1ccf5f49393 
l0hdOOY.js  de057b5a7518f0117a884b0393cb24f8 
mozcrt19.dll  14ffd7f15426f44f2f6cca63c1f3074b 
mozsqlite3.dll  14ffd7f15426f44f2f6cca63c1f3074b  e36ae691fc76dd3afdab86f120ef45f0  9f20b09dd004fffb3bd440f1a69ff7e2  bde41fa97144ef74be6ae129aa699f9f  2159653ee0374fa4a157ba98ecd6dfe3  74e9ee1b315b4bbe2f393eb434d282e8 
Processo_0339688.htm  1b99d7c6ba70f5b51d29aa7138871de3  9bf29a680a7ccdcf08539cc0334d3bf0 
Processo_0743333.htm  07eb7252072a9a367952e11e91099aba  676752b756d6b549ba70bfd78453df75 
Processo_3585524.htm  14c345a7b0832d978b0bfc1a41936cce  99716f3749772b55a7a2337aa9c2ceae 
Processo_4520552.htm  552c4f4606586020e649e608a9635283  b3e3cc3fc712b4e3bc0513e15da49fb7 
Processo_5451802.htm  71c2dd1749b8b6424ae33fc742d8b979  95bb9a288c45ba4192c4c206a153898f 
Processo_5574567.htm  d1a5c070a423d13a9f9a7a6c30290b96  e829f09c42e9866027de2ba5ff37b42b 
Processo_5583423.htm  0c6bcf42b7eea1c88f501e7d27bd635a  4459af875005925cc214699ea65e433a 
Processo_8457803.htm  a62c73c1a6ffc93300ecd3417682caaa  4459af875005925cc214699ea65e433a 
Processo_8538828.htm  2b3cd62a7e1ffb67a2412045ff3175a5  a68847e5fa17cf6500fc2cc1bb9ad606 
Processo_Judicial_Eletronico.130.lnk  11f473c93a505d0be9b2bbe2261f6891  eca6717f16ce755254f39c1ff9175c62 
Processo_Judicial_Eletronico.150.lnk  cf333b6d6f5b22f41c685d7fce1ed30e  d623289773b08bddf4cb05b4c2155779 
Processo_Judicial_Eletronico.30.lnk  cf9599ed5188bf857d325a383492230b  9986df584fbc379e71c94462f680435b 
Processo_Judicial_Eletronico.310.lnk  b6f0527fe826a1c367f9385e6097284d  fee203eea24f9a647a7feb7c194cd36d 
Processo_Judicial_Eletronico.420.lnk  6bd1f103d08fd98d16346ef53a1bec9c  deb93d749ae8027263432e40be98fc22 
Processo_Judicial_Eletronico.480.lnk  b7901d33364a4734b9c02b6083ef3f7f  e38239422342eb717bcaccd3dc2c3c8e 
Processo_Judicial_Eletronico.740.lnk  7479929ccaa6c4a7b4e3e68eeac1668f  5cff755c3bd694d8927d6ceb6bee3e0b 
Processo_Judicial_Eletronico.750.lnk  4f82854519cd2f6bdd77dd43bd8f7605  17f2e35d0e108c0a70325450c25bd57e 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

Cofense IntelligenceTM has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular Microsoft Exchange Online Protection, and make its way to the end user.

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host.

TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting to threat mitigation controls. By moving the web browser credential harvesting feature to a standalone module, threat actors trim down their initial footprint of infection. This adaption allows for fewer detections and the ability to download specific modules for better results after the infected host has been fingerprinted.

Safeguarding against this attack requires educating users about the importance of not saving credentials in the browser. For protection against other attacks, use technology to limit the number of times this type of payload gets to end users and educate them on the impacts these executables can have.

Technical Findings

The ‘Cookie Grabber’ module is downloaded in the same fashion as the other modules used by TrickBot. This module’s stark difference is the ability to parse through web browser databases locally to extract the targeted information. The module is placed within the %APPDATA%/Roaming directory with the other downloaded modules, all of which include ‘cookiesDll64’ in the naming convention.

This information stealing module targets Firefox, Chrome, and Internet Explorer web browsers. With Internet Explorer, the module targets the text files that store browser cookie information located within the user profile directories, as shown in Figure 1 (Appendix A). Additionally, it targets Firefox and Chrome cookie information that is housed within a SQLite database on the local host. The ‘Cookie Grabber’ module appears to have pre-defined SQL queries to gather the targeted information from both Firefox and Chrome. This module also makes use of a SQLite 3 embedded engine to allow for further database manipulation from the threat actor.

Once the infection has taken hold on the victim’s machine and the modules have been downloaded, decoded, and injected into svchost.exe, the sample then attempts to exfiltrate the gathered information using two HTTP POST commands.

  • The first HTTP POST is a form-data content-type to the Command and Control (C2) server containing other credentials harvested outside of the web browsers. Appended to the C2 URL is a unique string identifier containing host fingerprint information. This POST contains two distinct sections of information, one is the harvested credentials, the other is the source of the credentials. Figure 2 (Appendix B) shows the first HTTP POST to the C2 and contains FTP credentials gathered from the legitimate application, WinSCP.
  • The second HTTP POST to the C2, shown in Figure 3 (Appendix B), has a different User-Agent string, which has changed from a legitimate value to ‘dpost.’ The dpost value comes from the name of the configuration file used and serves as an identifying marker for the TrickBot’s network traffic used while exfiltrating the data. The destination port has also changed from 80 to 8082. This second HTTP POST includes the harvested web browser information, which is base64 encoded. The encoded information appears to contain the user profile name, the browser the information was harvested from, the URL, user name, password, time last used, and time created. These values are separated by a pipe (‘|’) and resemble the format below:

‘User Profile | Web Browser | URL | User Name | Password | Timestamp | Timestamp |/’

Each record collected by TrickBot and exfiltrated through the HTTP POST is separated by a forward slash (‘/’) character. In both HTTP POSTs, the C2 server was named ‘Cowboy’ and replied with a HTTP 200 OK containing a small text response of ‘/1/’. Figure 2 (Appendix B) shows the first HTTP POST to the C2, while Figure 3 (Appendix B) shows the second HTTP POST to the same C2. Notice the User-Agent value differences as well as the base64 encoded data strings within the second HTTP POST.


CofenseTM encourages organizations to train users to be cautious in clicking links or opening attachments that could lead to harmful malware being installed on their machine. It’s also important to encourage users to report a suspicious message even if they clicked on the link or opened the attachment as malware can still get installed in the background.

The appendices below contain figures related to this sample of TrickBot. For more information please contact [email protected]

Appendix A:

Figure 1: Locations that ‘Cookie Grabber’ searched for Internet Explorer cookies

Appendix B:

Figure 2: The First HTTP POST to the C2 containing gathered non-web browser related credentials

Figure 3: The second HTTP POST to the C2 containing the base64 encoded credential strings


89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Following are links to other blog posts on Trickbot:


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Babylon RAT Raises the Bar in Malware Multi-tasking


Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud. 

Full Details

Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is encrypted, allows for dynamic domains, and can turn a client into a reverse SOCKS proxy for further obfuscation. This weaponized RAT has many real-time client interaction methods and is capable of information theft. The administration panel has features that can allow for lateral propagation across end points on a network. This tool has enough features that, if used correctly, could devastate any organization.  

Babylon RAT’s client code is written in C# and is dependent on .NET 4.5. The administration panel (shown in Figure 1) is written in C++, and provides the functionality to manage multiple server configuration options. One option is the port number in which the administration panel will open and listen in when the server is started. Another option is a network key for authentication of the infection to the administration panel. Lastly the configurations allow for the setting of the IP version in which it will connect. The File drop down at the top provides access to the server, configurations, and the payload builder. 

Figure 1: The administration panel and the management tabs for Babylon RAT 

C2 Details 

The initial C2 connection the client binary makes after being executed is hardcoded into the binary when it is built. The building process suggests dynamic domains so that the IP address can be changed without interruption to the communication. This connection is encoded and contains fingerprinting information about the infected host. This information includes IP address, Country, Username, PC name, Operating System (OS) details, and which program window is active for the end user. After initial communication with the C2, the infected endpoint will update the administration panel every 5 seconds by default. The check-in notice sent to the server from the client consists of very small network packets, only about 4-8 bytes in size. Figure 2 shows the administration panel with the details listed above. 

Figure 2: The administration panel and the fingerprinted information as listed above for Babylon RAT 

Babylon RAT has the ability to turn an infected machine into a SOCKS proxy, specifying between version 4 or 5. The main difference in the versions: version 5 provides authentication from the client to the proxy, which helps negate abuse from unwanted parties. By creating a SOCKS proxy, the threat actors create an encrypted tunnel and can have all of the infected hosts use it as a gateway, which allows for network capturing. This can also allow for a threat actor to need only one exit point within a network, while maintaining the infection of multiple machines. Meaning, if a threat actor can maintain communication with one endpoint in a network, he can then propagate laterally and have all the traffic from the infected clients C2 network flow back out the one endpoint. With access to the command prompt and stolen credentials, this would be trivial to do. This technique would also bypass email and URL filtering of unwanted binaries. Figure 3 shows the SOCKS proxy endpoint details and the amount of traffic flowing through it. 

Figure 3: The SOCKS proxy tab and the details associated 

The client builder gives the option to use two different C2 domains for redundancy. When combining the ability to use multiple dynamic domains with a proxy server, a threat actor could effectively create layers of obfuscated traffic between the endpoint and the client through multiple channels.  

Figure 4: The surveillance options that are available to the operator 

Notice in Figure 4 the option for password recovery. The password recovery module looks through applications, including web browsers, and harvests credentials but does not gather the OS user credentials. Although one could surmise that with the username above and a couple of passwords harvested, the OS user credentials could be compromised. If the OS user credentials are compromised, it would be easy for the operator to open the remote command prompt and attempt to log in to other network machines using those credentials. If successful at logging into another machine, it is then possible for the operator to have the second machine download/execute another payload. This would need to be automated, but it does reflect a propagation method for the RAT. Figure 5 shows the system options including the remote command prompt option. 

Figure 5: The system options that allow for further interaction and detail of the infected system 


Adding to its already long list of functions, Babylon RAT has the ability to produce Denial of Service (DoS) attacks to targets from the infected hosts. The DoS feature can be set to a hostname or IP range and allows for multiple protocols to be initiated. The protocols all have thread and socket parameters that are adjustable. A threat actor can select to have the attack come from an individual protocol or all of the protocols available. Once this command is sent to a single host, the operator can easily replicate the command to the other infected hosts, effectively creating a larger Distributed Denial of Service (DDoS) attack. Figure 6 shows the configuration for the DoS attack and Figure 7 shows the machines status change to DoS. 

Figure 6: The parameters available for the DoS attack

Figure 7: The administration panel and the multiple infected hosts carrying out a DDoS attack 

In the End 

Babylon RAT is an open-source platform that allows for various misdeeds. The encrypted traffic and the ability to create SOCKS proxies can help negate network security measures. The client builder allows for Anti-Virus bypassing which helps the binary get to the endpoint safely. The processes allowing for network propagation means an infection is not limited to one endpoint. Combined with the ability to perform a DoS attack, Babylon RAT can be highly effective in the proper environment. Babylon RAT campaigns can be avoided with proper technology in place and by educating end users to recognize and report suspicious emails 

To stay ahead of emerging phishing and malware threats, sign up for free Cofense Threat Alerts. 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

CISO Summary

Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan.

Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns.

Technical controls can help combat this threat, for example, blocking connections to TOR nodes and inspecting network traffic for connections attempts. More proactively, educate end users on evolving phishing tactics.

Full Details

Cofense IntelligenceTM has analyzed a phishing campaign delivering a banking trojan and targeting Russia and neighboring countries. Read The Manual (RTM) Bot is created by a cyber group known by the same name. The RTM group is targeting the financial departments within different industry sectors. This modular banking trojan has many unique features, such as stealing data from accounting software and harvesting smart card information. This newest version uses The Onion Router (TOR) communication protocol. These campaigns are typically written in Cyrillic and use the Monthly Payment lure. Figure 1 shows an email associated with this campaign.

Figure 1: An email associated with this phishing campaign

RTM Bot targets accounting software while initially scanning the drive of the endpoint. The scan looks for any items related to the Russian remote banking system and relays the information found to the C2 for further instructions. RTM Bot scours the web browser history, and can access currently opened tabs, looking for any banking URL patterns. After the initial scan, the banking trojan then gathers information, effectively fingerprinting the machine. Figure 2 shows the accounting software strings found in the memory of this sample.

Figure 2: Strings associated with accounting software

Some accounting software requires the use of a smart card to authenticate to the software and access data associated with it. RTM Bot attempts to locate these smart card readers by scanning the registry and attached devices. If a smart card is found, the banking trojan then interacts with the Winscard API function to harvest information. The harvested information is then held within the memory buffer until it is sent to the C2. Figure 3 shows some memory strings associated with the smart card search and API interaction.

Figure 3: Memory strings associated with the smart card search and API interaction

Before attempting to exfiltrate the gathered information, the banking trojan will look up the host’s external IP address and add the value to its collection. It uses a GET request to the website hxxp://myip[.]ru/index_small[.]php to gather the external IP of the infected machine. Figure 4 shows the GET request.

Figure 4: The GET request for the external IP of the machine

Other values collected by RTM Bot during the fingerprinting of the machine include:

  • Username
  • Machine name
  • Logged on user privileges
  • OS version
  • Anti-virus installed
  • Time zone
  • Default language

Previous iterations of this malware used Blockchain Domain Name Services (BDNS) for its C2 infrastructure. The biggest change in the new version is the switch to using The Onion Router (TOR) communication protocol for its C2 infrastructure. Note that RTM Bot does not install a TOR client. Instead it uses the onion libraries, which are often called TOR SOCKS. By not installing a client onto the machine, RTM Bot minimizes its chances of being detected by anti-virus manipulating the Operating System (OS). Figure 5 shows memory strings associated with the TOR C2 infrastructure.

Figure 5: Memory strings associated with the TOR C2 infrastructure

Using the TOR protocol for communication helps threat operators in many ways. The first is that the communication is encrypted at the application layer of the OSI model, which adds an extra layer of encryption to the traffic. Another reason is the privacy that the TOR network affords the threat actors. This is done by passing the data through a network of relay points using layers of encryption. Each relay point decrypts a layer that reveals the next destination and routes the packet respectively. The relay point, however, does not know the next destination or the final destination the packet should reach. This routing scheme helps eliminate eavesdropping, because the router doesn’t know the end to end connections created, as well as the obfuscation by multiple layers of encryption.

RTM Bot has many of the common capabilities of banking trojans, including keylogging and screen captures. The malware can be pre-compiled with modules or it can download and execute the modules as instructed by the C2. The RTM cyber group focuses on financial departments within business in specific countries but can very easily shift its aim.

The newest version using the TOR communication protocol shows the group is actively developing this banking trojan for the future. Blocking connections to TOR nodes and inspecting network traffic for connection attempts will help mitigate the exfiltration of information. However, educating end users about phishing campaign threats and maintaining the threat knowledge base is the key to avoiding these threats.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

CISO Summary

Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot.

Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to educate employees by simulating phishing emails containing diverse malware threats.

Full Details

Cofense IntelligenceTM analyzed a phishing campaign that delivered an all-in-one ransomware/cryptominer/stealer/worm/keylogger called Lime Remote Administration Tool (RAT). Lime RAT’s code is written in C# and is dependent on .NET 4.0. Lime RAT is part of a malware library which includes Lime_Miner, Lime_Crypter, and Lime_USB. This malware is open source and touts itself as a teaching tool for .NET malware. But being feature-rich and well-documented, Lime RAT can also be used for nefarious actions by malicious operators.

An interesting feature of this malware family is the use of multiple ports for communication, which establishes redundancy for the communication channels. The initial setup of the Lime RAT building platform and panel needs only two things: port numbers and an AES (Advanced Encryption Standard) 128-bit encryption key. The port number is used to open a port to listen on the server. The AES key is used to encrypt all communication between the client and the server. Figure 1 shows the initial setup pane with the ports and AES key as discussed above.

Figure 1: Setup process for Lime RAT

The builder for the payloads is simply comprised of checkboxes and text input fields that even the most novice operators can use to produce effective, malicious binaries. This panel allows you to customize the payload with different features and icons. It also allows you to set the Command and Control (C2) infrastructure and the location for the persistent drop file on the targeted machine. Figure 2 shows the features available to customize each payload, including the anti-virtual machine option.

Figure 2: Features available to the Lime RAT payloads

When the Lime RAT payload has been created, sent to and executed on a target machine, the binary connects to the panel. When the client connects, it sends information to the control panel and includes details about the operating system, CPU, user, country, and more. The control panel gives the option to automatically assign a task for the client, for example, downloading and executing a specific file. Figure 3 shows the control panel populated with information from the connected client, while Figure 4 shows the ‘OnConnect’ automatic tasking panel.

Figure 3: Control panel view of an infected client machine connected to the C2 infrastructure

Figure 4: ‘OnConnect’ automatic tasking options

The control panel allows the operator to manipulate the target by right-clicking on the selected machine and choosing a command. This is where the operator can specify the method of attack: initiate the encryption for ransomware, drop a Monero miner, enable Remote Desktop Protocol (RDP), steal information/cryptocurrency, and more. Figures 5 and 6 show the options available to the operator for a given target.

Figure 5: Ransomware and other plugins for the target machine

Figure 6: Keylogging and persistence options for the targeted machine

The ransomware feature lets you customize the message as well as the image displayed. When the targeted host is encrypted with the ransomware aspect of this RAT, the file extensions are turned to ‘.Lime’. Figure 7 shows the customizable message and default image that displays to the client after the encryption has been initiated.

Figure 7: Lime RAT’s default ransomware message

The keylogging feature is not very advanced in what it collects. It can only collect what is entered by the keyboard and not what is auto-filled or added from the clipboard. The keylogger output does show a timestamp and which application the text was written in. Figure 8 shows the control panel output of a running keylogger module on a client infected with Lime RAT.

Figure 8: Collection of text from the keylogger module

As shown earlier in Figure 2, Lime RAT can spread like a worm. When the payload is built, the operator can specify the ‘USB spreading’ and ‘pinned task bar application spreading’ features be included within the payload. The USB spreading feature looks for any connected type 2 device and then attempts to replace any file with an executable version of Lime RAT. When doing this, Lime RAT will keep the original icon for the file that has now been infected. The spreading through the pinned task bar applications takes it one step further by replacing the shortcut path to which those icons are linked.

The ‘Thumbnail’ tab (Figure 9) within the control panel of Lime RAT is a screengrab of the infected machine. This screengrab can be turned on or off and has a timer that defaults to 5 seconds between screen grabs.

Figure 9: ‘Thumbnail’ tab that holds the screen grabs of the infected machines

Logging in Lime RAT is not nearly as advanced as we’ve seen in other RATs. As shown in the Figure 10, the ‘Logs’ tab only logs timestamps and IPs of connections and disconnections.

Figure 10: ‘Logs’ tab and the connections made

Lime RAT is an open source, well documented, .NET framework malware suite with multiple features that make it devastating when properly used. The ability for this malware to steal a wide range of valuable information, encrypt for ransom, and/or turn the target host into a bot with basic capabilities, mixed with an intuitive control panel display, makes it a likely choice for novice operators. The anti-virus evasion, anti-virtual machine feature, the small footprint, and encrypted communications would appeal to threat actors across the capability spectrum. The number one way to keep multivariate threats like Lime RAT from infecting a machine via a phishing campaign is to educate the end user on suspicious emails and attachments.

To stay ahead of emerging phishing and malware trends, sign up for a FREE 90-day trial of Cofense Intelligence.

To see more updated information on Lime Rat, see the blog post, New Mass Logger Malware Could Be Massive.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Vjw0rm Malware Does It All. Here’s What to Watch For.

CISO Summary 

It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   

Domain Fronting, Phishing Attacks, and What CISOs Need to Know

CISO Summary

Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation).

Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables.

While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure hosted in Cloudflare CDNs (figures 2-4 below). Last month, Cofense Intelligence reported that Cloudflare domains were being abused by threat actors to launch malware attacks on finance departments.

Why is this a problem?

If part of your cyber defense strategy is using a web gateway to prevent employees from visiting non-categorized sites, or blocking based on a threat intelligence feed of known C2 hosts, you can’t practically block access to a CDN without disrupting Internet-reliant business processes.

CISOs should make sure their SOCs are aware of the problem when reviewing suspicious emails reported by employees. While we wait for traditional cyber perimeter controls to catch up to this threat, a phishing training and reporting program (see Cofense PhishMeTM and Cofense ReporterTM), plus a phishing-specific response capability (see Cofense TriageTM and Cofense VisionTM) is the last line of defense.

Full Details

Malware operators continue to use domain fronting to bypass security measures and reach their command and control (C2) infrastructure hosted on content delivery networks (CDN). This C2 communication technique is difficult to defend against due to the large overhead required and strong reliance on CDNs. Certain CDN providers have recently changed their network schemes and policies in response to this threat, however, domain fronting is still possible through some of the minor CDN hosts.

Domain fronting is the exploitation of an encrypted connection to a CDN to gather web resources otherwise blocked by network security measures.

  • First, the client initiates a connection to a legitimate domain (front domain) via HTTP.
  • Second, the originating connection request is read in the clear and is inspected by network security measures.
  • Third, an HTTPS connection is created when the connection is encrypted with an SSL layer, allowing the contents of the traffic to bypass inspection.
  • Finally, The HTTP Host header is read by the server for the resources needed.

The HTTP host header, for this technique, is manipulated to gather resources from a nefarious site on the same CDN. The connection to the manipulated HTTP host header inside the encrypted traffic bypasses network security measures that don’t decrypt the traffic.

For domain fronting to work, the nefarious site and the legitimate site must both be hosted by the same CDN. The ability to pull resources from other sites works because of the inner networking of the CDN and the routing access availability to other parts of their hosting environment. This technique is also utilized with The Onion Router (TOR) node bridges and the meek protocol. The Russian hacker group that breached the Democratic National Committee in 2016, APT29, also known as Cozy Bear, used the TOR meek protocol for their C2 infrastructure communication. Figure 1 gives an overview of this technique.

Figure 1 Technique of domain fronting to bypass inspection.

Google and Amazon CDNs mitigated this technique by preventing any routing from one owner’s site to another. This is done by matching the HTTP host header with the original server name indication (SNI) request, implemented in late April and early May 2018. Since then, Cofense Intelligence has seen an increase in the number of phishing campaigns delivering malware in which the C2 was hosted by Cloudflare.

Figure 2 shows the contrast in Cloudflare C2 seen used by malware before and after May 2018, when Google and Amazon imposed barriers to such activity on their CDNs.

Figure 2 Analyzed C2’s hosted on Cloudflare before and after May 2018.

Figure 3 shows the breakdown of malware families that have used Cloudflare for C2 infrastructure after May of this year.

Figure 3 Malware families utilizing C2’s hosted by Cloudflare since May 2018.

Figure 4 shows the number of different hosts hosted by Cloudflare to which each malware family connects.

Figure 4 Number of C2’s hosted by Cloudflare for each malware family.

Domain fronting has been used by hacktivists and threat actors like APT29 to conceal their malicious activity. CDNs are starting to take the necessary steps to mitigate domain fronting by negating routing from one owner’s site to another, but this ability still persists because it allows for routing to take place among a single owner’s sites.

Defending against this type of communication is a heavy lift for the information technology team. Stopping a malicious email campaign within the email security stack before it gets to the end user’s inbox, and training users to identify phish that do reach their inboxes, are keys to helping mitigate this evasive exfiltration techniques like domain fronting.

Learn more about how Cofense stops active phishing threats.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.