佚名MYHACK58:62201994299Wary of the use of the Office vulnerabilities to spread commercial spyware AgentTesla-vulnerability warning-the black bar safety net
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Background overview
AgentTesla was originally a released in 2014 the simple key loggers, and in recent years its development team which constantly adds many new features, and sale. AgentTesla has now become a commercial spyware that can be controlled by the end of the generation to meet the functional requirements of a Trojan.
AgentTesla the most common mode of transmission is phishing mail, mail attachments often carry a malicious document, by a macro or an exploit to download and run a malicious program. Recently, Sangfor security team collected to make use of CVE-2017-11882 spread AgentTesla steal the information of the malicious samples, and its attack process carried out a detailed analysis.
A detailed analysis of the
CVE-2017-11882
- Use tools to monitor file behavior, see to run the document after the system pulled up the eqnedt32. exe process, and by the capture capture to download the EXE file of the flow, whereby the determination is the use of CVE-2017-11882 execute malicious code: a
! [](/Article/UploadPic/2019-5/201952872350787. png) - By attaching a debugger, the in Kernel32! WinExec next breakpoint, view register values, find the run."C:\Users\root\AppData\Roaming\Adobe.exe"the command, and capture the flow of information combined with the judgment, the malicious code should is download save the file to local and then run inference using the URLDownloadToFile related API:
! [](/Article/UploadPic/2019-5/201952872351853. png) - Attach the debugger to the network related APIS of the lower-off debugging, but the program did not break down, so in the eqnedt32. exe caused an overflow of the function at the lower off, stepping to the ret overwrite the return address to execute malicious code: a
! [](/Article/UploadPic/2019-5/201952872353745. png) - Malicious code in the first memory to decrypt the operation, the figure is a decryption of a before and after comparison, you can visually see the string information through a dynamic access to the API address to call URLDownloadToFileW download the file, and then through WinExec to run:
! [](/Article/UploadPic/2019-5/201952872354449. png)
! [](/Article/UploadPic/2019-5/201952872356708. png)
AgentTesla
1. AgentTesla is used. Net framework to write a keyboard logger, use the decompile tool to view the code, custom function names are confusing, but the use of the API and the keyword string is still plain text, you can see the keystroke recording code:
! [](/Article/UploadPic/2019-5/201952872358476. png) - In addition to the Keylogger, it also will by reading the registry key value to obtain the host information:
! [](/Article/UploadPic/2019-5/201952872359416. png) - Use the DES algorithm to encrypt the data to be sent to:
! [](/Article/UploadPic/2019-5/20195287240111. png) - There are three alternative ways the stolen data is uploaded to the remote C&C end:
Via FTP upload:
! [](/Article/UploadPic/2019-5/20195287241828. png)
Via SMTP upload:
! [](/Article/UploadPic/2019-5/20195287242974. png)
By HTTP upload:
! [](/Article/UploadPic/2019-5/20195287243766. png)
5. AgentTesla the resources embedded in a DLL file 名为IELibrary.dll that is used to implement a browser operation of the DLL file, in AgentTesla defines the need to steal information browser and network kit name, this is in the use of the control terminal generates malicious programs optional:
! [](/Article/UploadPic/2019-5/20195287244718. png)
6. IELibrary. dll is mainly for the browser for information collection and operation, including the history of additions and deletions to check:
! [](/Article/UploadPic/2019-5/20195287244281. png)
Steal passwords and cookies:
! [](/Article/UploadPic/2019-5/20195287245577. png)
Solutions
Virus defense
1, not from unknown website to download the software, do not click on unknown sources of e-mail attachments, involuntary macro-enabled; and
2, download patch patch CVE-2017-11882: the
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
3, open the Windows Update features regularly to the system for automatic updates;
4, the Sangfor firewall customers recommended to upgrade to AF805 version, and turn on the artificial intelligence engine to Save, in order to achieve the best defense results;
Finally, the recommendations of the enterprise on the whole network once the security check and antivirus scan, to strengthen the protection work.
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%