For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and map the relationships between its infrastructure to show customers how they, and attackers targeting them, fit within it. To continue to strengthen our Internet Intelligence Graph, RiskIQ's research team has begun analyzing popular malware families' known campaigns to fingerprint trends in threat infrastructure.
We analyzed infrastructure that likely belongs to Agent Tesla remote access trojans (RATs) to determine commonalities and identify trends that will help us detect them.
Agent Tesla is an extremely popular "malware-as-a-service" RAT used to steal information such as credentials, keystrokes, clipboard data, and other information from its operators' targets. Most commonly delivered via phishing campaigns, Agent Tesla has been deployed in several iterations since it first appeared around 2014. However, because it's a malware-as-a-service, RiskIQ researchers had enough available samples to identify commonalities in its deployment.
The most recent version of Agent Tesla can steal information via HTTP, SMTP, or FTP. Using RiskIQ data, we've identified more than 100 infrastructure-based indicators delivering Agent Tesla artifacts configured for these services.
The Service Stack
Using the RiskIQ Threat Intelligence Portal, we can illuminate the infrastructure this host was using around the time of the analysis. In October of 2020, RiskIQ detected each service (HTTP, FTP, and SMTP) Agent Tesla uses for data exfiltration on the IP explored above.
While reviewing the IPs associated with subdomains showing Agent Tesla's behavior in the Threat Intelligence Portal, we also see they use the same web service stack (MariaDB, Apache, PHP) with SMB open. They will often have FTP or SMTP services as well:
In the same blog post, Morphisec highlighted some older IOCs they had seen for Agent Tesla. Reviewing one of these IPs and hosts in RiskIQ Community shows similarities to the previous examples we analyzed. Also, when looking at the host's components, it has a very similar service stack to our sample above:
Two Malicious Files per IP
The Morphisec blog mentioned above identified an Agent Tesla IP address hosting two malicious files. RiskIQ's internal web crawling data revealed that an older Agent Tesla IP also hosted two unique download URLs for malicious files. Both of these were seen by our crawler on October 27th, well after the infrastructure was set up, but while the hosts seen by Morphisec were still online.
The response body returned by one of the files had a SHA256 hash detected as malicious by over 80% of the services used by Virus Total. Unsurprisingly, the response body for the other file was detected as malicious by those same services.
Pivoting on these trends in RiskIQ's internal crawl data revealed a lot of similar patterns. We consistently observed the IP addresses to which Agent Tesla DDNS subdomains resolve hosting two malicious files. Our assumption is that, similar to the samples documented by Morphisec, the first file is the C2, and the second is the payload.
Agent Tesla subdomains are unusually long, generally having an FQDN over 30 characters without dots or hyphens.
Connection to Other Threat Activity
The systems identified were very frequently seen in other suspicious activity outside the scope of our research. The name resolutions on many of the IPs listed in the Threat Intelligence Portal will yield a rabbit hole of interesting subdomains.
Most campaigns were obviously one-offs with unique IP addresses and subdomains. However, it's fairly common to see overlap between the IPs. The subdomains used by those IP addresses are very often permutations of the same base string. Interestingly, IP addresses that are used multiple times also had their infrastructure online the longest.
Infrastructure and Campaign Age
One of the biggest questions for incident response and threat intelligence teams is "How long are IOCs useful?" This is always a challenging question to answer, but identifying the common infrastructure and trends in malware campaigns helps shed some light on IOC ages.
Within the campaigns we analyzed, the maximum amount of time our scans saw the components we've identified active on the infrastructure hosts was 294 days, with just over 20% of the analyzed IP addresses maintaining the identified service stack for over 100 days.
The minimum lifespan was one day, but only 4 IP addresses maintained the stack for less than 10 days. The average lifespan was 69 days. This is a significant spread but shows that it’s not at all uncommon to have infrastructure online and cycling between individual file artifacts over periods of 3 months and longer.
Malware campaigns, especially "malware-as-a-service," will often leave very distinct infrastructure fingerprints. Tracking the infrastructure trends within an individual malware can reduce the importance of consuming every individual indicator of compromise within a campaign and makes the risk of those indicators aging out much lower.
Our initial query set resulted in thousands of unique web crawls and gave a good deal of insight into the campaign infrastructure of Agent Tesla and can be seen in the attached IOCs.
Extending security and IT protection outside the firewall requires mapping these billions of relationships between the internet components belonging to every organization, business, and threat actor on Earth. RiskIQ's data enables us to take a broader view of campaigns, such as the Agent Tesla activity we investigated in this blog post, to discover important trends and fingerprint different sets of indicators to better identify malicious infrastructure.
Visit our Threat Intelligence Portal for the full technical analysis of our Agent Tesla, including a full list of IOCs surfaced in our investigation.