Agent Tesla spyware spreads via Microsoft Word documents

By: Costea Lestoc
2 minute read
Agent Tesla spyware microsoft word

Agent Tesla malware got spread via Microsoft Word documents last year, and now it came back to haunt us. The latest variant of the spyware asks the victims to double-click on a blue icon to enable a clearer view in a Word document.

If the user is careless enough to click on it, this will result in the extraction of an .exe file from the embedded object into the system’s temporary folder and then run it. This is only an example of how this malware works.

The malware is written in the MS Visual Basic

The malware is written in the MS Visual Basic language, and it was analyzed by Xiaopeng Zhang who posted the detailed analysis on his blog on April 5th.

The executable file found by him was called POM.exe, and it’s a sort of installer program. When this ran, it dropped two files named filename.exe and filename.vbs into the %temp%subfolder. To make it run automatically at startup, the file adds itself to the system registry as a startup program, and it runs %temp%filename.exe.

The malware creates a suspended child process

When filename.exe starts, this will lead to the creation of a suspended child process with the same that in order to protect itself.

After this, it will extract a new PE file from its own resource to overwrite the child process’ memory. Then, the resuming of the child process’ execution comes.

The malware drops a daemon program

The malware also drops a Daemon program from the .Net program’s resource called Player into the %temp% folder and runs it up to protect filename.exe. The daemon’s program name is made up of three random letters, and its purpose is clear and simple.

The primary function receives a command line argument, and it saves it to a string variable that’s called filePath. After this, it will create a thread function via which it checks to see if filename.exe is running every 900 milliseconds. If filename.exe is killed, it will run again.

Zhang said that FortiGuard AntiVirus detected the malware and eliminated it. We recommend that you go through Zhang’s detailed notes to find out more about the spyware and how it works.

RELATED STORIES TO CHECK OUT:

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading

Discussions