Thursday, November 14, 2019

Custom dropper hide and seek

Executive summary

Most users assume they are safe when surfing the web on a daily basis. But information-stealing malware can operate in the background of infected systems, looking to steal users' passwords, track their habits online and hijack personal information.

Cisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers.

The injection techniques we're seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we'll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user's online privacy.

Technical overview

The campaigns we analyzed started with a malicious email similar to the one below:
Figure 1 - Phishing email

An ARJ archive is attached to this email. ARJ is an early 1990s archive format often used on the pirated software scene to convert files into archives. ARJ can split the archive into multiple smaller files. This made it easier to share these files over dial-up connections. ARJ archives can be unpacked with various tools like 7-Zip or WinRAR. Users can easily find an unpacker by double-clicking on the file and searching in the Windows Store for the appropriate software.

We often see that adversaries use old archive formats, hoping to bypass weak email security gateways. In this case, this archive wasn't split into multiple files and it contained only a single executable with the name: "IMP_Arrival Noticedoc.exe". This actor often used filenames with the schema "...<MS Office extension>.exe. In other campaigns by this adversary, we also saw completely different names and different file types like malicious office documents acting as first stage droppers. In this blog post, we will focus on the first ones.


Most of the executables are compiled, sometimes UPX packed, AutoIt scripts that can be easily decompiled. Unfortunately, as usual, the content was heavily obfuscated before compilation. Figure 2 shows the decompiled version of the script.
Figure 2 - Decompiled version of the AutoIT script

The deobfuscated version of the AutoIT script in Figures 3 and 4 shows that it comes with some anti-VM checks in the beginning. These checks are very typical for AgentTesla campaigns for years, you can often find them in one or the other form in the first stage droppers.
Figure 3 - Start of the deobfuscated AutoIT script
Figure 4 - VM checks of the deobfuscated AutoIT script
If these checks do not find anything, it is decoding and extracting resource font type (8) names from the string in the first parameter ($data) handed over to the DecodeDataFromPEResourceOrString function (Figure 7). In the GetResourcesFromPE function (Figure 6), this parameter is converted into a string and split into the different font resource names. The result is a list of strings in the following order:
  1. SystemPropertiesDataExecutionPreventionM
  2. Windows.Media.BackgroundPlaybackK
  3. windeployL
  4. LaunchWinAppX
  5. ccaF
  6. CellularAPIQ
  7. MuiUnattendE
  8. RmClientE
  9. ucsvcG
  10. refsutilV
  11. SpeechRuntimeV
  12. DPTopologyAppv2_0N

These font type resources are then extracted from the PE resources and concatenated to a large binary.
Figure 5 - Resource Section of IMP_Arrival Noticedoc.exe
Figure 6 - GetResourcesFromPE Function

The result is stored again in the $data variable (Line 245 in Figure 7) and the order of the stored bytes is reversed by StringReverse(BinaryToString($data)) in Line 246. This is the final payload malware in an RC4 encrypted form. The variable $sopcode contains the bytes of the RC4 code. After preparing the shellcode and the encrypted payload data, the RC4 function is getting executed in line 262 and decrypts the payload.
Figure 7 - DecodeDataFromPEResourceOrString RC4 Function

The following pictures show the disassembled RC4 shellcode:
Figure 8 - RC4 function ($opcode variable)

After the payload is decrypted, the script calls the final InjectPayloadIntoProcess function to inject the payload into another process. It is offering nine different legit process options for this injection. The adversary eventually selects which one will be used by providing the corresponding number to the function.
Figure 9 - Injection victim process selection

In this case, the adversaries picked option one — RegAsm.exe — to hide the payload. The rest of the function is quite similar to what was already described in other blogs. It is preparing the local injection shellcode ($a5_local_shellcode) and executing it in Line 211 in Figure 10. As mentioned before, this code finally hides the payload inside of the selected legit process. The decoded payload is handed over to this injection shellcode as the last parameter ($a4_payload_code).
Figure 10 - Process Injection code of the AutoIT script

The AutoIT script contains several additional functions that are not used in this campaign. For example, functions for the following tasks:
  • Write a file to the TEMP directory and execute it.
  • Download a file from the internet and execute it.
  • Execute a script via the command line.
  • Privilege escalation.

The AutoIT scripts in the different campaigns are always very similar to the one described above. It usually just differs by how they built the payload. Some scripts extract the payload from the resource section as described above, others have the encrypted payload stored in a large string inside the AutoIT script (Figure 11). The decoding function shown in Figure 7 is more or less the same, but the $rt parameter is set to -1, which means the GetResourcesFromPE function (Figure 6) doesn't do anything, except returning the unmodified content of the $data variable, or in other words the content of the $payload variable in Figure 11.
Figure 11 - Long String based AutoIT script start

The Injection part of these scripts always work more or less the same, Figure 12 shows an example of another script.
Figure 12 - Long String based AutoIT script injection part


The injected payload is in many cases an obfuscated version of AgentTesla. The software is capable of stealing credentials from most browsers, email clients, SSH/SFTP/FTP clients and other software. Please see the IOC section below for additional details. It supports exfiltration via SMTP, FTP and HTTP exfiltration. In this case, it only used SMTP. This version is very similar to the one described by Yoroi in the payload section of their blog post, except it is not obfuscated with any obfuscator detected by the latest de4dot. Some functions are also slightly modified or reordered, but most of them are probably done by the obfuscator. We think it is close to the customized Agent Tesla version that's been circulating online since several months.
Figure 13 - AgentTesla

It is resolving configuration settings and suspicious strings at runtime when they are used. The function shown in Figure 10 is implemented in the executables static class constructor (.cctor). It is using the Rijndael algorithm to decrypt certain large arrays. The offset is picked based on the integer which was handed over to the function. On the right side of the screenshot, you can see the length of the array section in purple.
Figure 14 - Agent Tesla decoding routine

The next screenshot shows the usage at runtime. For example, decoding certain parameters for email exfiltration.
Figure 15 - Agent Tesla string obfuscation

The fully deobfuscated version of the function looks like this:
Figure 16 - Agent Tesla email function (deobfuscated)

This is the typical AgentTesla function used for years. It is interesting that it seems to be that the obfuscator is customized for this Agent Tesla version or vice versa. It looks like it is filling in variables at the time it is obfuscating the original code. In functions that are in this sample, but never used and even in a few used ones, some of the hardcoded strings are filled with variables e.g. %filename%.
Figure 17 - Obfuscator variables


This campaign is another example of what modern malware uses to fly under the radar. With the process we've described in this post, the actors can hide the original malware inside the dropper. The malware is only decrypted at runtime and injected into memory — it's never unencrypted on the hard drive. The adversaries use complex droppers that leverage several different obfuscation techniques to make it as hard as possible for antivirus programs to detect the malware. By using these droppers, they can quickly and easily change the final malware for their campaigns. Even known malware is often successfully hidden against anti-virus systems by using these kinds of obfuscation chains.


Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on


Agent Tesla Stealer capabilities found based on decoded strings:
  1. 7Star Browser
  2. Amigo Browser
  3. Apple Keychain
  4. Becky! Internet Mail
  5. Brave Browser
  6. Centi Browser
  7. Chedot Browser
  8. Chrome Browser
  9. Chromium Browser
  10. Citrio Browser
  11. Claws Mail
  12. CocCoc Browser
  13. Comodo Dragon Browser
  14. CoolNovo Browser
  15. Coowon Browser
  16. CoreFTP
  17. Cyberfox Browser
  18. DynDNS client
  19. Elements Browser
  20. Epic Privacy Browser
  21. Eudora Mail
  22. Firefox Browser
  23. FlashFXP FTP client
  24. Flock Browser
  25. Foxmail
  26. FTPCommander
  27. FTPGetter
  28. FTP Navigator
  29. i360 Browser
  30. IceCat Browser
  31. IceDragon Browser
  32. IE/Edge Browser
  33. Incredimail
  34. Internet Download Manager
  35. Iridium Browser
  36. JDownloader
  37. Keylogger
  38. K-Meleon Browser
  39. Kometa Browser
  40. Liebao Browser
  41. Mozilla SeaMonkey
  42. Netgate BlackHawk Browser
  43. NoIP DNS client
  44. Open VPN
  45. Opera Browser
  46. Opera Mail
  47. Orbitum Browser
  48. Outlook
  49. Pale Moon Browser
  50. Paltalk Video Chat
  51. PassWd
  52. Pidgin
  53. PocoMail
  54. QIP Surf
  55. QQ Browser
  56. Safari Browser
  57. Screenshots
  58. Sleipnir 6 Browser
  59. SmartFTP
  60. Sputnik Browser
  61. SRWare Iron Browser
  62. TheBat! Email client
  63. Thunderbird
  64. Torch Browser
  65. Trillian
  66. UC Browser
  67. uCozMedia Uran
  68. Vivaldi Browser
  69. WaterFox Browser
  70. Wi-Fi Credentials and Profiles
  71. Windows Credentials
  72. Windows Domain Certificate Credential
  73. Windows Domain Password Credential
  74. Windows Extended Credential
  75. Windows Generic Credential
  76. Windows Secure Note
  77. Windows Web Password Credential
  78. WinSCP
  79. WS_FTP Pro FTP client
  80. Yandex Browser

Email: torre@casadavilas[.]com
Mailserver: mail[.]casadavilas[.]com

Malware moved to:
C:\Users\Dex Dexter\AppData\Local\Temp\tmpG766.tmp
[%TempPath% + "\tmpG" + DateTime.Now.Millisecond + ".tmp"]

Hashes executables:

ARJ files:

Related hashes:



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.