Throughout July, NTT Security identified a large number of malware samples using the same SMTP (Simple Mail Transfer Protocol) hosting provider for exfiltration by Agent Tesla and Hawkeye keyloggers. Through our research, we determined a high confidence identification of the actor, or one of the actors, running these campaigns.
Jacob Faires, Senior Threat Research Analyst at NTT Security, explains more in this guest blog post.
Agent Tesla samples active during the month of July were processed through automated and manual analysis. The first trend identified was the use of C2 domains for Agent Tesla that all forwarded SMTP traffic to 184.108.40.206, which is us2.mailhostbox.com.
Scraping credentials from pcaps generated during automated run allowed us to establish a linked set of indicators through shared email addresses and passwords, displaying a small portion of the infrastructure used in multiple active campaigns.
The actor has been active as early as March of 2017. The campaigns he runs are disjointed and have little structure, generally lasting a week or less. A keylogger, Agent Tesla or Hawkeye, is distributed using malspam. Sometimes a domain is created to aid in the legitimacy of the malspam emails, but more often they are sent from a newly created domain without a naming relation to the campaign. The actor then uses the gathered credentials to access victim email accounts to glean any information that might be usable for monetary gain. The most common scam was to request that a bank account be changed on a scheduled wire transfer to one managed by the actor.
These campaigns shared a number of attributes:
- Typo squatting and spear phishing
- Malicious office macros and CVE-2017-11882 exploits
- DNS hosting providers
- They use bitcoin-dns.hosting or site-dns.com for DNS providers for exfiltration
- Delivery of Agent Tesla or Hawkeye keylogger
- SMTP exfiltration traffic over
port 587 without TLS
- This includes login information. SMTP and IMAP credentials were in clear text.
- Auto Forwarding logs
- Primarily to Gmail, though other two factor sites were noted.
Through monitoring, NTT noticed test logs with source IP addresses stated.
All IP addresses pointed back to servers physically located in Lagos, Nigeria.
It was also noted that some of the Hawkeye keylogger logs appear to have been run from the operators own machine, as the logs contained usernames and passwords for compromised accounts. This led us to start checking for logs containing from the operator’s machine name.
Operational Security (OP Sec)
Upon analysis of atg1@atq-ye[.]com it was noted that a large number of logs had a source IP address of 220.127.116.11, one of the Agent Tesla test sources.
Recovered screen captures showed the user logged into accounts captured by the malware, suggesting this is our threat actor’s own machine. The actor infected themselves, most likely for testing purposes, inadvertently allowing us to identify them.
Another screen capture showed the user logged into Facebook.
On Facebook, this individual has their name as Zeel Ken Obasi. Their real name is more likely the one implied by the computer’s name, Ken Chima.
The user noticed access after a couple days of monitoring and permanently deleted all of the logs pertaining to their machine.
This research only focused on a single exfiltration node. Many more were discovered during analysis and monitoring, along with new malware samples ready to be delivered.