Microsoft Excel Infection Sequence

Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.

_{Figure 1: Spam email example}

_{Figure 2: Spam email example}

To make these spam emails seem legitimate, threat actors use words like “invoices” and “order” in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.

Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file.

Figure 3: Malicious communication and additional file download

Figure 4 shows the actual obfuscated VBS file.

Figure 4: Obfuscated VBS file

The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.

Figure 5: Malicious JPG file (steganography image)

The JPG file contains a Base64-encoded DLL, as shown in Figure 6. 

Figure 6: Base64-encoded DLL inside an image

Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.

Figure 7: Malicious command that loads and runs the DLL file

After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.

Figure 8: Process tree and thread injection in RegAsm.exe

From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.

Figure 9: Thread injected into RegAsm.exe

Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.

Figure 10: Browser data theft

In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.

Figure 11: Agent Tesla steals data from Outlook

As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.

Figure 12: Keyboard and clipboard hooks

In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor’s function intercepts before the action occurs.

Figure 13: Window hooking

From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.

Figure 14: Exfiltrate to Telegram