We are seeing a continuation of the new style AgentTesla malspam campaign again this morning. This is still using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. The initial stage today is a .exe file though not a word doc / rtf f=doc in the manner we saw on Friday 21 June 2019.
abusing the semi-legitimate pastebin alternative to host the malware in base64 encoded plain txt https://paste.ee
Today’s version starts with a .exe file inside the zip attachment This is a downloader that calls out to https://paste.ee/r/gTKc6 which is a base64 encoded dll file which appears to be part of the downloader for the AgentTesla binary which is also downloaded in Base64 encoded format from https://paste.ee/r/9VYgK and either the original exe file or more likely, the downloader converts it to a working .exe file. But none of the base64 encoded files or the resulting AgentTesla binary or the downloader dll ever appears on the victim’s computer in any format that can be obtained.
These are abusing the semi-legitimate pastebin alternative to host the malware in base64 encoded plain txt
You can now submit suspicious sites, emails and files via our Submissions system
tdesignsweater.com has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails. The actual senders are are very well known criminal gang that use AS209299 VITOX TELECOM in Iceland on 37.49.230.* today they are using 188.8.131.52. This criminal gang use multiple different malware families in their campaigns. I frequently see AgentTesla, Hawkeye, Nanocore & Remcos rat coming from them.
Date: Mon 24/06/2019 06:06
Subject: RE: Request for DOCS aprroval, PO: 500060872 ( SPUCOPINNY)
Attachment: BL & Invoice copy.zip
REF PO: 500060872
Pls find the attached draft BL & Invoice copy for your confirmation.
Pls check and advice.
S.M. Ataur Rahman
Road 06, House 375
D.O.H.S Baridhara, Dhaka, Bangladesh.
Description: http://184.108.40.206/t-design/signature/facebook.png Description: http://220.127.116.11/t-design/signature/twitter.png Description: http://18.104.22.168/t-design/signature/linkedin.png Description: http://22.214.171.124/t-design/signature/pinterest.png
Then this downloads another base64 encoded file from https://paste.ee/r/9VYgK| VirusTotal | which is converted to a working .exe | VirusTotal| Unusually here, the base64 encoded files & the resulting .exe are different sizes, so something funky is going on here as well.
The AgentTesla binary never actually appears on the victims computer and must be running in memory somewhere.
All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found . The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
|126.96.36.199||Reykjav�k||Hofuoborgarsvaoio||IS||AS209299 VITOX TELECOM|
Received: from [188.8.131.52] (port=52456 helo=gmail.com) by my email server with esmtp (Exim 4.92) (envelope-from <email@example.com>) id 1hfHAd-0004Lk-EG for firstname.lastname@example.org; Mon, 24 Jun 2019 06:05:35 +0100 From: email@example.com To: firstname.lastname@example.org Subject: RE: Request for DOCS aprroval, PO: 500060872 ( SPUCOPINNY) Date: 23 Jun 2019 22:05:34 -0700 Message-ID: <20190623220534.D28CDA73A29B22F4@tdesignsweater.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_8218B1D4.884F2195"
Main object- “bob.exe”
Dropped executable file
sha256 C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe 32b60d7bba22cc1682f4ba651d86c9fb357bdc82e9a284ab9668e5446bd24bb3