Agent Tesla Keylogger Delivered Inside A Power ISO .daa Archive

Office Macro Malware

We never fail to be astonished by the ingenuity and attempts from malware bad actors to get their malware delivered to their intended victims. However in many cases, like this one, their attempts spectacularly backfire where such a tiny, minuscule number of recipients will be able to open the malware attachment and stand a possibility of being infected. They have used a type of archive that is virtually unknown and none of the commonly used extraction tools will extract the content.

They have used a .daa file which is a proprietary format created by and only used by Power ISO, which is a program primarily used to create, rip, alter, or copy DVD, CD or Blue-ray discs. It does though have the ability to create zip files.

I don’t know why anybody would even try to use such a program to create zip files when the simplest way on any windows computer is right click the file & send to compressed folders. Unless the Skiddie or criminal was using Linux or a MAC and using or trying to use the free command line only version of Power ISO for Linux or MAC

Updated it has been pointed out to me that quite a lot of Agent Tesla ( and other malware files) recently have been in .ISO archive format. It is highly probable that the clueless malware apprentice was trying to create an ISO not a zip and messed up. That is why He ( or She) was using Power ISO

I am sure there are some users of Power ISO who just possibly might have received a copy of this malware, but the numbers will be so small, probably in the tens rather than the hundreds or thousands. I just cannot see this malware delivery campaign being effective.

What probably happened is the clueless Skiddie sending the malware used Power ISO, because he had it on his computer and probably uses it to rip DVD or Blue-ray and made a mistake in the settings, where instead of creating a zip file, he mistakenly created the .daa proprietary archive that only Power ISO uses. It might be that this group of criminals are actually trying out the effectiveness of using this sort of proprietary archiving format that will skip past most antivirus filters in the hope that enough recipients can or will open Power ISO .daa archives. We probably will see other less common proprietary formats being used in future campaigns.

I received this via the submission system yesterday via a German Contact, but haven’t had time to create a post about it until now. Thanks to lots of help from various members of the Infosec community on Twitter it was soon extracted and discovered to be Agent Tesla Keylogger / Infostealer.

The .daa attachment does get past most Antiviruses. Yesterday there was 1 detection


VirusTotal Detection of .daa archive

Today it has increased to the grand total of 2

VirusTotal Detection of .daa archive

However once you do manage to extract the contents you do get reasonable detections ( 39/70) , although they are all over the place with just about every detection incorrect as to the actual malware which is Agent Tesla Keylogger and not Azorult, Fareit, Loki or Nanocore. BUT it is detected as some sort of malware by a high percentage of Antiviruses so should be blocked on a victim’s computer.

It can be slightly annoying to see what we feel are incorrect detections listed on VirusTotal, which makes it slightly harder for researchers to catalogue or quantify malware campaigns and numbers of victims. It should be said that the job of an Antivirus is to detect and block all forms of malware so to a victim, what the malware is called is not as important as the fact they are protected from the malware itself.

VirusTotal detections of Agent Tesla Keylogger extracted for a .daa archive

The most common method of trying to bypass a spam or malware filtering or protection system is to use password protected attachments, either office word docs, excel spread sheets or an encrypted archive file like a zip, Rar or other common archive. Antiviruses cannot generally scan inside a password protected archive or office file, unless the password is known to the AV and even then they tend not to scan them. Some AV or perimeter protections can be set to try the commonly used passwords like 123, 12345 or password, infected, virus on protected archives or docs. This does slow down tremendously the delivery of email and increases server load exponentially, so most don’t bother.

Another way to try to bypass filters is to use an unusual file extension on a simple archive (zip) file in the hope that windows will recognize the file as a zip file and automatically try to open it. This method is more successful on Linux and Mac users, where file extensions are not so important and files can be opened and used based on their file magic entry at the start of the file. These operating systems read the first few characters and if they see a known file type will automatically open the file using the correct program.

The 3rd method which we are seeing much more frequently is to use much less common archiving formats that common extraction tools like Windows inbuilt unzipping tool or Winzip, 7-zip and WinRAR don’t natively extract. The most common one we see frequently is a .ACE attachment. There are several less commonly used extraction utilities that will open .ACE files although the most commonly used ones won’t.

The small numbers of recipients that can open .ACE archives, obviously are much lower than the bulk users of Windows inbuilt extraction tool, Winzip, WinRar or 7-zip. But there must be enough because the bad actors continue to use it and must get enough victims to make it worthwhile. The other frequent format that skips past a lot of AV are .ISO files. However all currently supported versions of windows natively and every extraction utility that I know of will extract from .ISO archives.

You can now submit suspicious sites, emails and files via our Submissions system

Revised-Quote.daa ( VirusTotal) : Extracts to: Revised-Quote.exe Current Virus total detections: Anyrun |

One of the emails looks like:

From: TAMURA MITSUO <tamura@e-yonemori.co.jp>

Date: Mon 18/02/2021 07:25

Subject: REVISED URGENT ORDER #PO8278912…!!!

Attachment: Revised-Quote.daa

Body Content:

Dear Sir/Ma,

Please check above attachments. The requirements are revised please

check and quote at your earliest with minimum prices.

Kindly give an Acknowledgement, If you have receive this email.

*************************************

株式会社米盛鉄工所

YONEMORI IRONWORKS CO.,LTD.

田村三夫

TAMURA MITSUO

TEL:06-6475-2771 FAX:06-6475-1526

*************************************

Screenshot:

Fake order email

These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.

All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected.

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name.

Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.

If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated.

Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.

IOC:

Revised-Quote.daa
7ad92100104fb0124d1cc2be7282825e93ec9d38e4ed49524032bcae6c68e7d8
173c7ee370a0b5290cb079f5ff5e12c4
7a879201576d911e90418239a8f504726bedf294

Main object- “Revised-Quote.exe”
sha256 47335ac38694812474ed9f0f136ee2026bf6b1b893d02c253037b8b7942d9b7a
sha1 3225908931fdc0b1113f6e6e6f81706d437c7c82
md5 32275526a38a8e9a12689d3a2413b8dd
DNS requests
domain checkip.amazonaws.com
domain mail.bhungar.com
Connections
ip 162.222.226.133
ip 52.0.208.170
HTTP/HTTPS requests
url http://checkip.amazonaws.com/

Total
9
Shares
Leave a Reply

Your email address will not be published.

Related Posts