Agent Tesla Malware Analysis: WSHRAT Acting As A Dropper

Research By: Karthickkumar K

The Uptycs Threat research team recently noticed a new Agent Tesla malware attack campaign. In the campaign, we observed that the threat actors are now trying to drop Agent Tesla malware via WSHRAT malware. WSHRAT is VBScript/Javascriptbased malware that uses multi-stage infection for the purpose evading AV/EDR detection. This combination of  WSHRAT dropping an Agent Tesla payload was observed for the first time. 

WSHRAT is a remote access trojan (RAT) capable of keylogging and stealing sensitive PC info like OS information, computer name, username, running process info, etc. from the victim PC. The RAT code is publicly available at http[:]//www.wshsoftware[.]site. The Agent Tesla malware, on the other hand, has the ability to steal browser credentials and other sensitive information like VPN client credentials, FTP client credentials, etc. from the victim system. The WSHRAT dropping Agent Tesla was initially reported by 0xToxin.

In this campaign, the initial vector used by the threat actors was a spam email which had two archives attached, a GZ file and an R00 file. Figure 1 shows the infection flow.

Figure 1: Infection flow

Part 1: GZip Attachment

As mentioned above, the spam mail contains two types of archive files. The GZ archive contains a C#-compiled 32-bit executable binary file (Copia de pago.exe). Upon executing the binary, it drops two files in the Roaming folder:

1. MGosm.vbs - WSHRAT script file
2. nicon4.0origin.exe - C# executable Agent Tesla 

Figure 2 shows the execution flow of the binary.

Figure 2:Process execution flow of GZip attachment

Stage 1:

The binary Copia de pago.exe uses the Steganography method to embed PE binary in an image file to evade AV/EDR. which gets decrypted during its execution. The decrypted data in virtual memory address (0xD000) contains a new DLL binary.

Figure 3: DLL decrypted from Copia de pago.exe resource 

The Copia de pago.exe loads the DLL in memory (see Figure 4).

Figure 4: Copia de pago.exe loads decrypted DLL in memory 

Stage 2:

The newly loaded DLL binary file contains base64-encoded gzip compressed data (see Figure 5). The compressed data is just another DLL binary which gets loaded in memory during stage 2’s DLL execution.

Figure 5: base64-encoded gzip compressed data

Stage 3:

The DLL binary file decrypted in stage 2 contains XOR-encoded data. The decoded content is an exe file which drops the WSHRAT malware.

Stage 4: WSHRAT Malware

The decoded exe (in stage 3) contains base64-encoded WSHRAT which gets dropped in %appdata%\Roaming\ folder.

Figure 6: base64-encoded WSHRAT

The WSHRAT malware gathers:

• Computername
• Username
• OS information
• Country details
• Installed antivirus software details
• Install/Uninstall software

Along with these, the malware also creates auto startup entry:

HKCU\<id>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGosm: "wscript.exe //B "C:\Users\mygame1\AppData\Roaming\MGosm.vbs""

This RAT contains a list of commands which could be used by the threat actor remotely:

The payloads inside the vbs file (WSHRAT) are base64-encoded, gzip-compressed data.

Figure 7: Payloads inside are base64-encoded, gzip-compressed data

As we can see in Figure 8, along with the payloads (see Figure 7) the vbs file (WSHRAT) contains base64-encoded Agent Tesla payload. The Agent Tesla malware binary file gets dropped inside %appdata%\Roaming folder.

Figure 8: base64-encoded Agent Tesla

Part 2: R00 Attachment

The R00 archive contains a JavaScript file which while executing drops three files in the Roaming folder:

• Recibo de pago.js - Self copy file
• dohKlqYtRl.js - Vjw0rm
• Nicon4.0origin.exe - Agent Tesla

The execution flow of the R00 is shown in Figure 9.

Figure 9: Process execution flow of R00 attachment

The Recibo de pago.js file contains the base64-encoded Vjw0rm and WSHRAT (see Figure 10), While the JavaScript file drops the Vjw0rm script in the Roaming folder. Alongside dropping the Vjw0rm, the JavaScript file also runs WSHRAT binary in memory. 

Figure 10: Decoded Recibo de pago.js

Later, the WSHRAT drops Agent Tesla binary in the Roaming folder and runs it (see Figure 8). 

Conclusion: Detect and Block Agent Tesla Attacks

Our research on Agent Tesla showed the advancements in its attack chain. Enterprises must have tight security controls and multi-layered visibility and security solutions to identify and detect malware like Agent Tesla. Uptycs’ EDR correlation engine detected the Agent Tesla activity by correlating generic behavioral rules and YARA process scanning capabilities.

Uptycs EDR Detection

Uptycs EDR—armed with YARA process scanning, advanced detections, and the ability to correlate Registry Events, Process File Events, Process Events and API Events—successfully detects different types of tactics carried out by Agent Tesla. 

Additionally, Uptycs EDR contextual detection provides important details about the identified malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior as shown below (Figures 11,12,13, & 14).

Figure 11: A process tree showing the execution of files inside the gzip attachment in Uptycs EDR 

Figure 12: Uptycs EDR detection of the gzip attachment

Figure 13: A process tree showing the execution of files inside the R00 attachment in Uptycs EDR 

Figure 14: Uptycs EDR detection of the R00 attachment 

IOCS

GZip attachment:

R00 Attachment:

To learn more about the latest threat research conducted by the Uptycs Team, check out our most recent threat bulletin below.