{"id":10400,"date":"2019-06-25T11:02:48","date_gmt":"2019-06-25T11:02:48","guid":{"rendered":"https:\/\/nftsgary.com\/?p=121"},"modified":"2019-06-25T11:02:48","modified_gmt":"2019-06-25T11:02:48","slug":"more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle\/","title":{"rendered":"More AgentTesla Keylogger And Nanocore RAT In One Bundle"},"content":{"rendered":"

We are seeing a continuation of even more AgentTesla malspam campaigns again this morning. However today\u2019s is somewhat different to usual and also delivers a Nanocore RAT. Actually the Nanocore RAT is downloading the AgentTesla keylogger. And after a bit of digging around and seeing an Open Directory listing on the AgentTesla download site we found another multi-stage JavaScript downloader which delivers what looks like Dunhini \/Houdini \/h-worm and WSHRAT along with more Nanocore or at least using the same C2 and download structures as recent nanocore samples.<\/p>\n

Once again the scumbags sending these are using ISO attachments, which generally speaking are very badly detected by antiviruses, mailscanners or perimeter defences. Many AV and \u201cnext gen\u201d anti-malware services do not routinely scan an ISO file but rely on detecting the extracted file. This is one of the few file types that you are actually slightly safer using Windows 7.<\/p>\n

You need a 3rd party extraction (unzipping) program to extract the executable content from the container. Winzip & Winrar along with several other 3rd party unzipping tools does do this, but are not set to open iso files by default, so need a few clicks from you to do it. Windows 7 will natively try to open the ISO in Windows ISO burner and copy it to a cd\/dvd for you. Whereas the more modern & \u201csafer\u201d OS W8.1 and W10 will normally offer to mount the ISO. This means open it as a virtual cd drive so the .exe file is shown in file explorer ready for you to click on & run. While the exe file is inside the ISO container it is safe and will not harm you. It should not automatically run when mounted.<\/p>\n

Many ISO do have an auto-run command embedded ( for example Microsoft Windows 10 or Office downloads) , but I can\u2019t see one in these.<\/p>\n

You can now submit suspicious sites, emails and files via our Submissions system<\/strong><\/h4>\n

Jabil.com has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails. I first saw the sending IP \/ Server being used yesterday in a fake DHL campaign delivering a very similar JS downloader contacting many of the same sites.<\/p>\n

From:<\/strong> \u201cAmanda Guimar\u00e3es\u201d <AMANDA_GUIMARAES@Jabil.com>
\nDate:<\/strong> Mon 24\/06\/2021 22:05
\nSubject:<\/strong> FYI New Order #PO1205356266, Brazil
\nAttachment:<\/strong> NEW_PO_1205356266,pdf.iso<\/p>\n

Body Content<\/strong>:<\/h3>\n

Dear security,<\/em><\/p>\n

We are really interested in your products could you please kindly check attached?<\/em>
\nour new trial\u00a0order\u00a0please quote and\u00a0confirm to us estimated delivery time to brazil.<\/em><\/p>\n

Thank you,<\/em>
\nAmanda Guimar\u00e3es<\/strong><\/em>
\nBuyer<\/em>
\nBelo Horizonte Site<\/em>
\nDesk: +55(31) 2103 \u2013 9312<\/em>
\nRod. Fern\u00e3o Dias, Km 490, br381, Jardim das Alteroras<\/em>
\n32670-790, Betim, MG, Brasil<\/em><\/p><\/blockquote>\n

Malware Details:<\/strong><\/h4>\n

NEW_PO_1205356266,pdf.iso ( VirusTotal<\/a>) extracts to NEW_PO_1205356266,pdf.exe VirusTotal<\/a> | Anyrun | Which is the nanocore binary. The C2 for this nanocore is microsoft.btc-crypto-rewards.cash 160.202.163.246
\nThis downloads and autoruns the AgentTesla binary\u00a0virusTotal<\/a> | Anyrun<\/a> |<\/p>\n

The C2 \/ SMTP exfiltration for this AgentTesla is smtp.vivaldi.net<\/strong> 82.221.130.149 but I can\u2019t easily determine the email address of the miscreant.<\/p>\n

Now when we looked at the download site for AgentTesla mechanicaltools.club we found an Open Directory listing with lots of files.<\/p>\n

This domain was only registered yesterday 24 June 2021 using privacy protection via Namecheap as registrar and hosted by Namecheap. The home page has a default hosted by Namecheap holding page. This was obviously registered by these criminals to be used in malware campaigns.<\/p>\n

This set of files tries to download the same nanocore that was inside the ISO container. I assume there must have been an email with links, that would trigger the download chain. The bad actors have made a bit of an error by starting the chain with a MHT file( VirusTotal<\/a> ) which only work in Internet Explorer and display as plain text in other browsers and will not offer the downloaded next step in the chain.<\/p>\n

which simply downloads\u00a0 (VirusTotal<\/a>) which in turn downloads & runs\u00a0 VirusTota<\/a>l | Anyrun<\/a> | which is a heavily encoded scripting file that downloads and runs these 3 files which are actually renamed .exe files not zip files at all. But all are very well detected on VirusTotal
\nVirusTotal<\/a> | Anyrun<\/a> |
\nVirusTotal<\/a> | Anyrun<\/a> |
\nVirusTotal<\/a> | Anyrun<\/a> |<\/p>\n

All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found .<\/p>\n

The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n

Email Headers:<\/strong><\/h3>\n\n\n\n\n\n
IP<\/th>\nHostname<\/th>\nCity<\/th>\nRegion<\/th>\nCountry<\/th>\nOrganisation<\/th>\n<\/tr>\n<\/thead>\n
45.14.112.110\u00a0<\/i><\/td>\n<\/td>\nFallings Park<\/td>\nWolverhampton<\/td>\nGB<\/td>\nAS60945 VeloxServ Communications Ltd<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Received: from [45.14.112.110] (port=61347)\n\tby my email server with esmtp (Exim 4.92)\n\t(envelope-from <AMANDA_GUIMARAES@Jabil.com>)\n\tid 1hfW8k-00065U-9j\n\tfor security@myonlinesecurity.co.uk; Mon, 24 Jun 2021 22:04:38 +0100\nFrom: =?UTF-8?B?IkFtYW5kYSBHdWltYXLDo2VzIg==?= <AMANDA_GUIMARAES@Jabil.com>\nTo: security@myonlinesecurity.co.uk\nSubject: FYI New Order #PO1205356266, Brazil\nDate: 24 Jun 2021 14:04:34 -0700\nMessage-ID: <20190624140433.033401D494FDCED4@Jabil.com>\nMIME-Version: 1.0\nContent-Type: multipart\/mixed;\n\tboundary=\"----=_NextPart_000_0012_62826778.96920426\"<\/pre>\n
IOC:<\/strong>
\nMain object- \u201cNEW_PO_1205356266,pdf.iso\u201d
\nsha256 1b80e4d13b53c9fff4caced8bc44c2d61248d55d2cf66fd68a93fa29ccbd17c0
\nsha1 a13c5c54fc89be75623738257ae15bdd34f9fbdb
\nmd5 60e8f75ba8588b97cd31992b2335f750
\nDropped executable file
\nsha256 C:\\Users\\admin\\Desktop\\NEW_PO_1205356266,pdf.exe a96a80d3565e9b2f55c4a9770a4a911fbbdfccf470809c59eda9b1c3b3fbc072
\nMD5 8d46822356da392beb731ceaaf919489
\nSHA-1 39f832abe4137c97c79eeb174e96b4460b93564a
\nsha256 C:\\Users\\admin\\AppData\\Local\\Temp\\windowsdefender.exe 9a53593239f4f04ca6f28e3eab6c4b51cc869c2b366e322df2d900e75b6c3da0
\nMD5 557b476ea0c8b987f970b9eb3cb52e5f
\nSHA-1 2e2ba396b8ac8b1044c8058e004fb174e788d6a4
\nDNS requests
\ndomain mechanicaltools.club
\ndomain microsoft.btc-crypto-rewards.cash
\ndomain checkip.amazonaws.com
\nConnections
\nip 198.54.114.213
\nip 185.244.29.22
\nip 160.202.163.246
\nip 52.200.125.74
\nHTTP\/HTTPS requests
\nurl http:\/\/checkip.amazonaws.com\/
\nurl http:\/\/mechanicaltools.club\/download\/2oxEJ50zPS4Wsdb.exe
\nMain object- \u201cbpvpl.tar.gz\u201d
\nsha256 27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e
\nsha1 8b1c131f6b9dc1f020a18ab8f4fa3095224adcc9
\nmd5 5a2b62b657782f37eb0f7c27064cffa9
\nDropped executable file
\nsha256 C:\\Users\\admin\\Desktop\\bpvpl.tar.exe 27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e
\nMain object- \u201cklplu.tar.gz\u201d
\nsha256 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
\nsha1 37b644ef5722709cd9024a372db4590916381976
\nmd5 7099a939fa30d939ccceb2f0597b19ed
\nMain object- \u201cmapv.tar.gz\u201d
\nsha256 bfcde7f66c042845af095b5600d1e7a383926e2836624f7eb1690b078e9cfe28
\nsha1 a988b152469a8b22052377d4127f0a3ee0a92927
\nmd5 c4c6fe64765bc68c0d6fcaf2765b5319
\nMain object- \u201c2oxEJ50zPS4Wsdb.exe\u201d
\nsha256 9a53593239f4f04ca6f28e3eab6c4b51cc869c2b366e322df2d900e75b6c3da0
\nsha1 2e2ba396b8ac8b1044c8058e004fb174e788d6a4
\nmd5 557b476ea0c8b987f970b9eb3cb52e5f
\nDNS requests
\ndomain smtp.vivaldi.net
\ndomain checkip.amazonaws.com
\nConnections
\nip 192.35.177.64
\nip 82.221.130.149
\nip 18.211.215.84
\nHTTP\/HTTPS requests
\nurl http:\/\/checkip.amazonaws.com\/
\nMain object- \u201cmhtexp.js\u201d
\nsha256 27302c2238440ebf93b3e3e6639e9df3586895cc1e236952e300d07353158bc5
\nsha1 290431f521e45f5f2345e314ad89403a6220ff32
\nmd5 86c75fb3cd45155afbed0a537b7b215e
\nDropped executable file
\nsha256 C:\\Users\\admin\\AppData\\Roaming\\kl-plugin.exe 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
\nsha256 C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\ZSVOB39W\\bpvpl.tar[1].gz 27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e
\nsha256 C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\WLQBH2R9\\mapv.tar[1].gz bfcde7f66c042845af095b5600d1e7a383926e2836624f7eb1690b078e9cfe28
\nDNS requests
\ndomain microsoft.btc-crypto-rewards.cash
\ndomain unknownsoft.duckdns.org
\ndomain doughnut-snack.live
\nConnections
\nip 185.247.228.14
\nip 160.202.163.246
\nip 172.245.14.10
\nHTTP\/HTTPS requests
\nurl http:\/\/microsoft.btc-crypto-rewards.cash:9966\/is-ready
\nurl http:\/\/doughnut-snack.live\/klplu.tar.gz
\nurl http:\/\/doughnut-snack.live\/bpvpl.tar.gz
\nurl http:\/\/doughnut-snack.live\/mapv.tar.gz
\nhttp:\/\/mechanicaltools.club\/download\/2oxEJ50zPS4Wsdb.exe
\nhttp:\/\/mechanicaltools.club\/download\/NEW_PO_1205356266,pdf.exe
\nhttp:\/\/mechanicaltools.club\/download\/mhtexp.hta
\nhttp:\/\/mechanicaltools.club\/download\/mhtexp.js
\nhttp:\/\/mechanicaltools.club\/download\/mhtexp.mht
\nhttp:\/\/mechanicaltools.club\/download\/mhtexp.php
\nmhtexp.mht
\nMD5 381b3624498e29b48464b3251e8c5203
\nSHA-1 11dfc573ec4c38475c9c58a61ecba24e26358c29
\nSHA-256 1e4b0aa62e6cebd7991c3c68759032e767c32ad2e07d6ffb11ad7b99c9155a6c
\nmhtexp.hta
\nMD5 5a7727673fbb359f54ce36fcc1faa6df
\nSHA-1 976a65329869c60c763e58b8986507bf09bd568c
\nSHA-256 9ecc1efb8b8bf7674dcb579e76b0f7b334068e6ea2ff77fedc8d9a16867da170<\/p>\n","protected":false},"excerpt":{"rendered":"
We are seeing a continuation of even more AgentTesla malspam campaigns again this morning. However today\u2019s is somewhat different to usual and also delivers a Nanocore RAT. Actually the Nanocore RAT is downloading the AgentTesla keylogger. And after a bit of digging around and seeing an Open Directory listing on the AgentTesla download site we…<\/p>\n","protected":false},"author":8,"featured_media":13405,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"taxonomy_info":[],"featured_image_src_large":["https:\/\/myonlinesecurity.co.uk\/wp-content\/uploads\/2022\/03\/Malware-Download.jpg",1000,562,false],"author_info":{"display_name":"Darrel Heers","author_link":"https:\/\/myonlinesecurity.co.uk\/author\/darrel-heers\/"},"comment_info":0,"_links":{"self":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages\/10400"}],"collection":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/comments?post=10400"}],"version-history":[{"count":0,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages\/10400\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/media\/13405"}],"wp:attachment":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/media?parent=10400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}