Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from pastebin.com. This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and obfuscated.
Figure 1 – The paste converted to binary
The original binary was a .NET PE file within an RAR email attachment. Inspecting the file with dnSpy, an easy to use debugger and assembly editor developed by 0xd4d, reveals that it is obfuscated. Lucky for us de4dot, another tool developed by 0xd4d, detects the obfuscation as DeepSea and is able to deobfuscate it for us.
Figure 2 – de4dot detects the obfuscation as DeepSea
Now that de4dot has cleaned up the DeepSea obfuscated .NET code, we can walk the program from the Entry Point and see where the paste is downloaded and how it is decoded. We quickly discover webClient being used to download the paste.
Figure 3 – The .NET assembly using webClient to download the paste
Further inspection of the code identifies the decoding method and key. The downloaded paste is converted to binary and XOR decoded with a 32-bit integer value of 25.
Figure 4 – The paste is XOR encoded
Knowing the XOR key is 25 and is 32 bits long, let’s see if we can decode this payload with python so that we can inspect it with dnSpy and see what it does.
Figure 5 – Python code to XOR decode the paste
Perfect, the paste has been converted into a .NET DLL file. Inspecting the DLL in dnSpy reveals the same functionality and unpacking techniques that has been reported by other researchers.
What caught my eye was a RunPe object in the DLL. RunPE is a process hallowing technique of injecting a malicious PE into a benign process and impersonating that process. At this point I became curious if other campaigns were using this paste or other pastes as a malware loader.
Lo and behold, this exact paste has been used by many campaigns in the past 30 days. And the malware payloads have included Loki, Agent Tesla, Formbook, and even HawkEye. And a second identical paste was found in a handful of campaigns this week.
Email attachment hashes
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.