RiskIQ's research team leverages our Internet Intelligence Graph to analyze known campaigns of widely used malware families to fingerprint trends in malicious infrastructure. We recently continued our analysis of Agent Tesla, leading us to identify the XAMPP web server solutions stack being used to serve Agent Tesla and Formbook malware.
This latest analysis shines new light on the Agent Tesla ecosystem, the TTPs its operatives are using, and how RiskIQ users can now leverage the XAMPP web component to identify hosts that distribute malware and research other potentially malicious infrastructure.
XAMPP is Useful to Developers and Threat Actors Alike
XAMPP is an Apache distribution containing MariaDB, PHP, and Perl languages. Able to be installed on Windows, Linux, or OS X, it is intended to facilitate development work and testing without requiring access to the Internet. The package enables developers to quickly deploy Apache web servers on their local machines. XAMPP has all features turned on, which means many security features are disabled by default to facilitate more ease of use.
XAMPP is not malicious software, and hosts running XAMPP are not necessarily malicious. However, much of what makes XAMPP ideal for developers also makes it a valuable tool for threat actors, and we found that some malicious hosts abuse this XAMPP to distribute malware.
XAMPP as a BreadCrumb Leading to Agent Tesla
The XAMPP web component collected by RiskIQs Internet Intelligence Graph shows that while development work within XAMPP does not require an internet connection, there are many internet-facing XAMPP servers.
Our researchers first noticed XAMPP's use for malware distribution during an investigation of Agent Tesla infrastructure for our March 2021 article, Exploring Agent Tesla Infrastructure. In that article, we identified Agent Tesla infrastructure running the same web service stack of MariaDB, Apache, and PHP—all with SMB open and often having FTP or SMTP services.
With RiskIQ's XAMPP web component, we can identify hosts running this specific web service stack. We can then use these hosts in conjunction with other data points to find malicious infrastructure and emergent patterns in that infrastructure.
Linking XAMPP to Agent Tesla: The Smoking Gun
This investigation began with three IP addresses RiskIQ recently detected with XAMPP stack installed hosting Agent Tesla and one IP address hosting Formbook. All four hosts were running Windows and SMB, while half were running Windows Remote Desktop.
In one scenario, an IP hosting Agent Tesla executables and a WBK file, a backup file created by Microsoft Word. In the IP's associated hashes list, there is a link to a Hybrid Analysis report for a file that makes a GET request to a WBK file and then another to download an Agent Tesla file with various decoy command and control (C2) domains. Many other Agent Tesla samples were noted on this IP under different directories hosting both a WBK and Agent Tesla executable. All of the Agent Tesla files associated with IP communicated with the same C2.
In other cases, attacker IPs deployed Agent Tesla via a malicious XLSX document that communicated out to the IP to download the Agent Tesla file, which was then immediately renamed. Another attacker IP hosted malicious files, acting as a mail server to send out phishing emails to deploy malware like SnakeKeylogger and QuasarRAT.
You can explore the full list of IOCs by visiting the RiskIQ Threat Intelligence Portal.
XAMPP and Dynamic DNS (DDNS) Hosts
We previously noted that attackers installed XAMPP on hosts belonging to dynamic DNS (DDNS) provider duckdns[.]org, which were distributing Agent Tesla.
We recently observed other DDNS providers hosting malware files with the XAMPP stack installed as well. RiskIQ data shows one of these hosts has distributed malicious files like njRAT and Nanabot since February 2019. A current listing of files observed on this host also included Agent Tesla, droppers, coin miners, njRAT, and Android spyware files.
As mentioned in our earlier article on Agent Tesla, subdomains under DDNS provider ydns[.]eu hosted Agent Tesla malware. The host noted in that article had XAMPP installed and hosted Agent Tesla malware in May 2021. Additionally, we identified several DDNS URLs from the provider dns[.]army with file names similar to what we have seen used with Agent Tesla samples.
You can see these indicators in the comprehensive article in the Threat Intelligence Portal, featuring similarly named suspicious ydns[.]eu and dns[.]army domains in the list of enterprise indicators.
XAMPP and Other Suspicious Activity
While we do not have confirmed malicious activity on this infrastructure, an illegitimate domain mimicking Microsoft Outlook was recently registered on July 23 and has linked to two PHP pages displaying what appears to be XAMPP notifications on settings not yet made.
Leave Agent Tesla Nowhere to Hide
Web components describe a web page or server infrastructure gleaned from RiskIQ's mass crawling technology. These components provide analysts with a high-level understanding of what was used to host the page and what technologies may have been loaded. When possible, RiskIQ’s research team categorizes the specific components and includes version numbers so customers can easily discover and identify them, such as XAMPP instances running the specific service stack detailed in this article.
Other RiskIQ data sets, such as DDNS, hashes, and OSINT can be used to put together the bigger picture of malicious infrastructure, as we did with Agent Tesla above. Join the RiskIQ Community and visit RiskIQ’s threat intelligence portal to see exactly how RiskIQ data sets helped us uncover the links between XAMPP and Agent Tesla and explore the IOCs in this investigation.
Contact us today to find out more about RiskIQ and how our powerful technology can supercharge threat hunters at your organization.