Throughout July, NTT Security identified a large number of malware samples using the same SMTP (Simple Mail Transfer Protocol) hosting provider for exfiltration by Agent Tesla and Hawkeye keyloggers. Through our research, we determined a high confidence identification of the actor, or one of the actors, running these campaigns.

Jacob Faires, Senior Threat Research Analyst at NTT Security, explains more in this guest blog post.

Agent Tesla samples active during the month of July were processed through automated and manual analysis. The first trend identified was the use of C2 domains for Agent Tesla that all forwarded SMTP traffic to 208.91.198.143, which is us2.mailhostbox.com.

Scraping credentials from pcaps generated during automated run allowed us to establish a linked set of indicators through shared email addresses and passwords, displaying a small portion of the infrastructure used in multiple active campaigns.

The actor has been active as early as March of 2017. The campaigns he runs are disjointed and have little structure, generally lasting a week or less. A keylogger, Agent Tesla or Hawkeye, is distributed using malspam. Sometimes a domain is created to aid in the legitimacy of the malspam emails, but more often they are sent from a newly created domain without a naming relation to the campaign. The actor then uses the gathered credentials to access victim email accounts to glean any information that might be usable for monetary gain. The most common scam was to request that a bank account be changed on a scheduled wire transfer to one managed by the actor.

These campaigns shared a number of attributes:

  • Typo squatting and spear phishing
  • Malicious office macros and CVE-2017-11882 exploits
  • DNS hosting providers
  • They use bitcoin-dns.hosting or site-dns.com for DNS providers for exfiltration
  • Delivery of Agent Tesla or Hawkeye keylogger
  • SMTP exfiltration traffic over port 587 without TLS
    • This includes login information. SMTP and IMAP credentials were in clear text.
  • Auto Forwarding logs 
    • Primarily to Gmail, though other two factor sites were noted.


Through monitoring, NTT noticed test logs with source IP addresses stated.

All IP addresses pointed back to servers physically located in Lagos, Nigeria.


105.112.120.98

105.112.122.95

105.112.36.154

105.112.36.221

105.112.96.222

105.112.99.230

197. 210.58.157

41.190.2.205

41.203.78.181

41.203.78.234

 

It was also noted that some of the Hawkeye keylogger logs appear to have been run from the operators own machine, as the logs contained usernames and passwords for compromised accounts. This led us to start checking for logs containing from the operator’s machine name.


Operational Security (OP Sec)


Upon analysis of atg1@atq-ye[.]com it was noted that a large number of logs had a source IP address of 105.112.99.230, one of the Agent Tesla test sources.



Recovered screen captures showed the user logged into accounts captured by the malware, suggesting this is our threat actor’s own machine. The actor infected themselves, most likely for testing purposes, inadvertently allowing us to identify them.


Another screen capture showed the user logged into Facebook.


On Facebook, this individual has their name as Zeel Ken Obasi. Their real name is more likely the one implied by the computer’s name, Ken Chima.


The user noticed access after a couple days of monitoring and permanently deleted all of the logs pertaining to their machine.


This research only focused on a single exfiltration node. Many more were discovered during analysis and monitoring, along with new malware samples ready to be delivered.


IOCs

IPs


105.112.120.98

105.112.122.95

41.203.78.181

41.190.2.205

105.112.99.230

208.91.198.143

105.112.96.222

197. 210.58.157

105.112.36.221

41.203.78.234

105.112.36.154


Domains

smtp.fortvelle.com

smtp.q3r.in

smtp.atq-ye.com

us2.smtp.mailhostbox.com

smtp.conisub.com

smtp.akkka-mep.com

smtp.agavecomquista.com

smtp.easterncarqo.co.in

smtp.tetenel.com

smtp.uml-db.com


Email Addresses

chisales65@gmail.com

artesanosdalvino.alberto@gmail.com

jessica.ho@pullppy.com

freshm1@vivaldi.net

lmontero@conisub.com

dthornley@fortvelle.com

davidcrotts333@gmail.com

dmilep76@gmail.com

nahas@akkka-mep.com

ivanfung60@yahoo.com

ViFeki3@yandex.com

inderjit@easterncarqo.co.in

mekfooods@gmail.com

utonwamichael@gmail.com

general@uml-db.com

bike@tetenel.com

atg1@atq-ye.com

starmoney1001111@gmail.com

wizzymax3@gmail.com

import@q3r.in

star-money@tetenel.com

jah-origin@agavecomquista.com

 

SHA-256

78e1bb7e657847ca8e29bf84bb8f88ed91a8052fd77340b473d695def2603953

b7e9c0f6bc896b8aa13c9f0bd25913921a3e45faae236b3d03423d5d75d6deed

01f222e64a302e2da7c4d40282fcd5951c1fb87878798278d26655efc72a16a5

44d38d5834392f7a0cc0cb38a4be7f495dce31325d46684479e8572aeb5a9ce5

d7b353d7dc0327e40f1db2ee49c039fd0ed52b3db8e3591a25f1200d3a60b965

56697b18f497badc9e2197773a7d3a5598fa88cfe8080b0c12c734943e158423

dd763426b9a8cbe65b8041728bb18923ce5028aa7045154d2092f5991f2787eb

4ca30230e01d8ae0b8d5534adf711aa2161dfd99c066c1842574fcc6e38c1a19

a0a84ef378c8199a1b4511396d185b39d2dca86ffc608144f9d12f61d7d48cfd

b6d58c312dee6beed5ea3b09ad8692f738c6947fd6d3095750dc954d80f65b28

7f2c430e1c1732fb4e513c40a7071f25b463d66f1c1b97f1cde1268265958ffd

3ca44d745a2ccac006017ec4e8b1e40a02831d114b85bf711c536775d729e3d7

ABDC26837B24E561D034E79268EF3D7917651296A1AA055B62F2AD409428675E

c05d862017e3fe89668d247ed5f84269b581b233b5d2ea130a8c09e736dc860b

25ee878fa1759d6c2b369206d6fd843cbaa3cf6761655e0e8884c4150a1970d7

4abf9a2f3e1e9a930d327af1a34ccb72ee914014eb013c6d922424fb43ac7716

8a99dac3ae2da7639b0544b3f0b40f4b76ecaacd5c7c089da603bdaed39d14a9

0b85fc34960b2b6a84bbf4dd54112e6d0f2b44b4530b73ddf6ef2d70a94af4b7

c30a79f10cebaed8840b47084901ee13fd05adaac1372e5b5f5ae669c8ae491b

0913a4bbe21a6a68dab06bd21a7595af0b137940bb852f9109c78a3fb5476fc3

1F15CBA60B28E9E5D982A8BB63D9BE628762C3B2E9442C2A9BB5998CE611D30B

5e31082ad14cdc2be4da9c02bade2552683e10f46f9a94d93f8c579eca7733cf

f5379bc0bf8c61a2d2781db3636871f7ed45d14ff9278cae48339a6007d86b58

0b1fe9fe3b752d664cb17069bacb2614e5c5196fc1c79adbc5dd95e78b40ed39