In-Depth Examination of the Latest AgentTesla Malware Deployment Using Advanced Fileless Techniques


AgentTesla, a sophisticated Remote Access Trojan (RAT) known for its capability to stealthily steal sensitive information, has evolved with advanced fileless deployment techniques that significantly enhance its evasiveness and effectiveness. Recent findings from SonicWall Capture Labs and other cybersecurity researchers provide detailed insights into these new methods.

Innovative Delivery Methods: AgentTesla now utilizes sophisticated .NET managed code injection methods for its deployment. This process begins with a deceptive Word document sent via email, which prompts the user to enable a VBA macro. This macro then downloads and executes a Rust-compiled executable that injects the AgentTesla payload directly into the process memory using CLR hosting techniques. This technique allows the malware to execute without writing to the disk, evading traditional antivirus detection methods​ .

Enhanced Evasion Capabilities: To avoid detection, AgentTesla now patches the Event Tracing for Windows (ETW) API and employs custom encryption methods to secure its payload. These tactics are combined with shellcode execution that dynamically resolves critical API functions necessary for further execution​ (​.

Persistence and Data Exfiltration: Once established, AgentTesla can capture keystrokes, clipboard data, and take screenshots, which are then exfiltrated using various methods including SMTP. The malware ensures its persistence on the infected system through techniques such as modifying registry run keys​​.

Command and Control (C2) Communication: AgentTesla has shown the capability to use multiple communication protocols with its C2 servers, including HTTP, SMTP, and FTP. It uses these channels to receive commands and send collected data. The malware has also been noted for using Tor to anonymize its communication, complicating efforts to trace and block its traffic​.

Security Measures: Due to the advanced nature of these attacks, organizations are advised to enhance their security posture by keeping security tools updated, investing in security awareness training, and adopting a proactive approach to threat detection. Understanding the intricate mechanisms of such fileless attacks is crucial for defending against them.

These developments signify a considerable shift in the capabilities of AgentTesla, emphasizing the need for advanced defensive strategies against this evolving cyber threat.

Initial Attack Vector: The malware initiates via a VBA macro embedded in a Microsoft Word document. Users are tricked into enabling macros, which then triggers the download of a 64-bit executable compiled in Rust. This executable is designed to execute without writing to the disk, leveraging advanced fileless injection techniques to evade detection​ ​.

Payload Delivery and Execution: Once executed, the Rust binary employs CLR (Common Language Runtime) hosting to inject the AgentTesla payload directly into memory. This is achieved by dynamic loading of .NET runtime libraries, allowing the malware to operate discreetly without creating physical files on the disk. The downloaded shellcode, containing the AgentTesla payload, is then executed using techniques like API hashing and custom decryption routines to further obfuscate the process and avoid detection​​.

Advanced Evasion Techniques: The malware meticulously disables Event Tracing for Windows (ETW) to prevent logging and monitoring of its activities. It patches critical APIs such as “EtwEventWrite” and employs a custom decryption process for the shellcode, enhancing its stealth. The malware also dynamically resolves essential APIs using hashing, a technique that complicates static analysis and detection by security software​ .

Execution of Malicious Code: The core of the malware’s functionality lies in its ability to execute malicious .NET code in-memory. This is facilitated by CLR hosting, where the malware creates a runtime instance and loads the malicious code into the default application domain of the process. It uses the “CLRCreateInstance” and “ICorRuntimeHost” interfaces to manage the execution environment, ensuring the malicious payload is executed seamlessly within the native process​.

Persistence and Data Exfiltration: AgentTesla is known for its capabilities to exfiltrate sensitive data, including keystrokes, system information, and credentials from various applications like Outlook and VPN clients. It employs sophisticated methods to steal and transmit data securely, often using encrypted channels or leveraging the TOR network to anonymize its communications​​.

Indicators of Compromise (IOCs):

  • MD5 and SHA256 hashes of the document, the downloaded executable, and the injected payload are provided to help identify and trace the malware components involved in this attack.
  • The URLs used by the malware to download the executable and shellcode are crucial for network-level blocking and tracking.

This campaign underscores the necessity for enhanced vigilance and advanced detection capabilities in cybersecurity defenses. Organizations are advised to keep their software updated, educate users on the risks of enabling macros from unknown sources, and deploy advanced threat detection and response systems capable of identifying and mitigating such sophisticated threats.

This detailed analysis highlights the complexity and stealth of the latest AgentTesla malware campaign, emphasizing the continuous evolution of threat actors and the need for proactive security measures.

Detailed Scheme Table: Analysis of the AgentTesla Malware Campaign

This detailed scheme table breaks down the various components and processes involved in the recent AgentTesla malware campaign. The data and processes are organized step-by-step to elucidate the malware’s behavior and techniques.

StageDescriptionTechnical DetailsIOCs/Artifacts
1. Initial DeliveryMalware is delivered via a VBA macro embedded in a Word document.The macro triggers the download of a 64-bit Rust binary.Document MD5: D99020C900069E737B3F4AB8C6947375<br>SHA256: A6562D8F34D4C25A94313EBBED1137514EED90B233A94A9125E087781C733B37
2. Payload DownloadThe Rust binary downloads and executes a shellcode containing the AgentTesla payload.Uses the EnumSystemLocalesA API for execution. Downloads from URL: Blob MD5: CD485BF146E942EC6BB51351FA42B1FF<br>SHA256: 02C03E2E8CA28849969AE9A8AAA7FDE8A8B918B5A29548840367F3ECAC543E2D
3. Fileless ExecutionFileless injection of the payload into memory.Employs CLR hosting and dynamic .NET library loading to avoid disk writing.64-Bit Downloaded Executable MD5: 4521162D45EFC83FA76C4B5C0D405265<br>SHA256: F00ED06A1D402ECF760EC92F3280EF6C09E76036854ABACADCAC9311706ED97D
4. Evasion TechniquesDisables ETW and patches security functions to evade detection.Patches EtwEventWrite, AmsiScanBuffer, and AmsiScanString.Disabling of AMSI and ETW functions.
5. Malicious Code ExecutionExecutes the decrypted AgentTesla payload in memory.CLR hosting is utilized to execute the payload within the native process.Injected AgentTesla Payload MD5: 6999D02AA08B56EFE8B2DBBD6FDC9A78<br>SHA256: 7B6867606027BFCA492F95E2197A3571D3332D59B65E1850CB20AA6854486B41
6. Final ExecutionThe shellcode invokes the malware’s main functionality.Utilizes Invoke_3 to run the entry point of the loaded assembly.Execution of CLR-managed code in memory.
7. CleanupDestroys traces post-execution to avoid detection.Wipes the MSIL payload and destroys the SafeArray object.Cleanup of memory-resident artifacts.

Explanatory Notes:

  • VBA Macro: A Visual Basic for Applications script embedded in a Word document that automates tasks, in this case, to initiate the malware download.
  • Rust Binary: A compiled program from Rust code known for memory safety, used here to handle the downloading and initial execution of the malware.
  • CLR Hosting: Technique to execute managed .NET code within a native application, enabling the malware to run its payload seamlessly.
  • Fileless Injection: The process of executing malicious code directly in memory without writing any files to disk, enhancing stealth.
  • ETW (Event Tracing for Windows): A Windows capability for logging and tracing; disabling this avoids detection by monitoring tools.
  • AMSIs (Antimalware Scan Interface): A Windows service that helps security software detect and block malicious content; patching its functions helps the malware evade detection.
  • SafeArray: A data structure used in COM programming to encapsulate arrays; used here to handle and manipulate the malicious code securely.

This detailed scheme aims to provide clarity on each step involved in the AgentTesla malware campaign, highlighting the sophisticated techniques used to ensure successful execution and evasion from security measures.

Copyright of
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.