It’s okay to eat paste, right?

Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from pastebin.com. This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and obfuscated.

Figure 1 – The paste converted to binary

The original binary was a .NET PE file within an RAR email attachment. Inspecting the file with dnSpy, an easy to use debugger and assembly editor developed by 0xd4d, reveals that it is obfuscated. Lucky for us de4dot, another tool developed by 0xd4d, detects the obfuscation as DeepSea and is able to deobfuscate it for us.

Figure 2 – de4dot detects the obfuscation as DeepSea

Now that de4dot has cleaned up the DeepSea obfuscated .NET code, we can walk the program from the Entry Point and see where the paste is downloaded and how it is decoded. We quickly discover webClient being used to download the paste.

Figure 3 – The .NET assembly using webClient to download the paste

Further inspection of the code identifies the decoding method and key. The downloaded paste is converted to binary and XOR decoded with a 32-bit integer value of 25.

Figure 4 – The paste is XOR encoded

Knowing the XOR key is 25 and is 32 bits long, let’s see if we can decode this payload with python so that we can inspect it with dnSpy and see what it does.

Figure 5 – Python code to XOR decode the paste

Perfect, the paste has been converted into a .NET DLL file. Inspecting the DLL in dnSpy reveals the same functionality and unpacking techniques that has been reported by other researchers.

What caught my eye was a RunPe object in the DLL. RunPE is a process hallowing technique of injecting a malicious PE into a benign process and impersonating that process. At this point I became curious if other campaigns were using this paste or other pastes as a malware loader.

Lo and behold, this exact paste has been used by many campaigns in the past 30 days. And the malware payloads have included Loki, Agent Tesla, Formbook, and even HawkEye. And a second identical paste was found in a handful of campaigns this week.

IoCs

Pastes
https://pastebin.com/raw/gj2hhtAV
https://pastebin.com/raw/tbpmekC5

Email attachment hashes
86fbe7b6fd2afe2e1be8a13a9cbbd8a5b7c48cbf1f1cb7c35bde4f9898c84be7
001df0ca3a78536f87a857c32e9d9d94a0cad73057e2727791fee5c52763f91b
63123573c959294d4ffc80271149045ae04678cab0d2342676c053ccfb776da9
a24c563428e2a801bb23b804c8cd00c9be5344ebf1e387611bbda7a11cffd0b3
c1e7a6540ea3439d93744063d52bd12a0837788f3a7459d393169031a8ff300a
432cd8a25fc34d53c6b125cfa981093b210d41ac4db8b9ff3628d4cef67771b8
819753f07fc3b2b51aced9de3c351bfd3f083e41d42a62be5cb83e7ea28c1cb0
6f86026f139cf76734759635cdc308b0e026b00b82edaf27e8a8ecb6b1070f01
8c7c29beac5040d15738db50b9ecd0ae8dc0d49b829a994e4e841ecdeaf8bdda
f8d4dfae7ec77df53e02b6faadad318a535d73ef7284403c84f401b274f2b2ff

Sample Email

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.