Agent Tesla: malware campaign using domains registered Ad Hoc [english version]

Italian version here.

In last days D3Lab identified a malspam campaign which simulate a communication about invoices and payments to spread malware with the aim to steal sensitive data from Ms Windows devices.

The malware is downloaded, from a probably compromised domain, and executed by a Microsoft Exel macro attached to the mail, clearly these actions require a users interaction.

The malware uses SMTP protocol to send stolen credentials towards command and control servers identified by domain names made ad-hoc for this malspam campaign. This escamotage allows to escape superficial network traffic control using believable domain names capable to deceive network controller operators, letting the malware talking with C&C servers.

Since Aprile the 1st we identified eleven malware versions . The difference is in the SMTP server used to send stolen credentials and we suppose each file has been made to hit different countries.

A reverse dns activity leads to identify others domains registered ad hoc likely with the same aim: spread malware and stole data using believable domain instead use random name domain which should appear more suspicious, some example:

  • smtp.ferrattigroup[.]com
  • smtp.petrechemicals[.]com
  • smtp.cmis-sa[.]com
  • smtp.bhconline-it[.]com
  • smtp.i-banking[.]online

Our analysis focused on executable file jiz9.exe which highlights the involvement of the domain gruppoiren-it[.]com, registered ad hoc and currently used to exfiltrate sensitive information from compromised systems, as showed be screenshot below, taken during malware execution on Sand Box.

The domain name gruppoiren-it[.]com seems be referred to Gruppo Iren SpA, an Italian company operating as multiservice provider in eletricity and energy production and distribution. Obviously the domain gruppoiren-it[.]com has not been registered by this company.

Sniffing SMTP traffic it’s possible recognize the data types sended to the C&C server using  a pre-setted email address:

  • Host/Computer name
  • User
  • Operating System
  • CPU
  • RAM
  • IP

The malware is written in dotNet and the decoding activity shows email clients and web browsers from which the malware extract stored credentials:

  • Firefox
  • Seamonkey
  • Flock
  • Thunderbird
  • PostBox
  • Chrome

All malware versions use SMTP server identified by different domain names, allocated to the same ip addresses. Running the malware versions and monitoring the network traffic it’s possible identify the emails accounts/addresses used to send stolen data:

  • biggi[@]siamzime[.]com
  • emeka[@]skipper-spb[.]com
  • foxy[@]jeepine-cn[.]com
  • francis[@]amchlk[.]com
  • passy[@]hagena-de[.]com
  • obi[@]gpbocsh[.]com
  • noor[@]cobrauea[.]com
  • lavert[@]jsp-ldt[.]com

Regarding the Gruppo Iren company we can find a some difference: in fact the email address used to send data to the domain gruppoiren-it[.]com uses name and surname (in name.surname[@]gruppoiren-it[.]com format) of  a real Gruppo Iren SpA employed, as all can read on LinkedIn, where him results  be a sales rep.

Although we have no proof, we suppose that a domain name so specific,, and a email address made by cyber criminals after a clear OSINT activity, could has been used, or be used in future, for spear phishing, BEC and Ceo frauds against the Gruppo Iren company.

As said above, the malware, developed in dotNet language, has features built to extract information from email clients and web browsers, screenshot below shows the namespace having the task to extract data stored in Mozilla Firefox.

Whois query output on gruppoiren-it[.]com domain highlights it has been registered on February the 21st 2019, and gives detailed infromation about the registrant:

Registrant Name: Simon Paul
Registrant Street: 16A raod off high way, Goa
Registrant City: Goa
Registrant Postal Code: 098068,
Registrant Country: IN
Registrant Email: [email protected]
Admin Phone: +91.9905564812

The domain name gruppoiren-it[.]com appears very similar to the trusted/official Gruppo Iren domain name. We call this fooling trick  Bitsquatting.

D3Lab, working against phishing, daily analyzes this kind of fraud attempts.

The D3Lab Brand Monitor service works to identify this kind of crimes, made exploiting the deception power that domain names could have recalling famous brand.

All days D3Lab, via OSINT and CLOSINT activities, looks for suspiciuos domain names usable in frauds and requires the fake domains takedown to the involved internet service providers. This daily activity allows to stop the frauds execution and to avoid company image demages connected to the brand abuse.


IoC identifyed:

  • 208.91.198[.]143
  • 208.91[.]199.225
  • 208[.]91.199.224
  • 208.91.199[.]225
  • ahsantiago[.]pt
  • bhpfinancialplanning[.]co[.]uk
  • smtp.amchlk[.]com
  • smtp.cobrauea[.]com
  • smtp.gpbocsh[.]com
  • smtp.gruppoiren-it[.]com
  • smtp.hagena-de[.]com
  • smtp.jeepine-cn[.]com
  • smtp.jsp-ldt[.]com
  • smtp.siamzime[.]com
  • smtp.skipper-spb[.]com
  • jiz9.exe: 009977313d777a207e1e1dced2062bae0beb5bc8394d9f3eabd785d8cb3c6a58
  • 733_01042019.xlsx: 7765df6489e8792508192e007f0fe900310182d6031a61f216df945d64055cbb

1 commento

Trackbacks & Pingbacks

I commenti sono chiusi.