{"id":1751,"date":"2024-09-25T06:36:54","date_gmt":"2024-09-25T06:36:54","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1751"},"modified":"2025-07-29T03:12:30","modified_gmt":"2025-07-29T03:12:30","slug":"analysis-of-new-wave-of-ppam-agent-tesla-part-2","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-new-wave-of-ppam-agent-tesla-part-2\/","title":{"rendered":"Analysis of New wave of .PPAM Agent Tesla \u2013 Part 2"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"940\" height=\"342\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/7-20.webp\" alt=\"\" class=\"wp-image-1763\"\/><\/figure>\n\n\n\n<p>In the <a href=\"https:\/\/lmntrix.com\/lab\/analysis-new-wave-xla-agent-tesla-part1\/\" target=\"_blank\" rel=\"noreferrer noopener\">previous post<\/a>, we saw <a href=\"https:\/\/lmntrix.com\/lab\/analysis-new-wave-xla-agent-tesla-part1\/\" target=\"_blank\" rel=\"noreferrer noopener\">how the Agent Tesla malware has infected its victims<\/a> by using the PS1 Powershell script to invoke the web request from the blacklisted IPs. Agent Tesla\u2019s successful delivery method is through email, either in the form of spam or more targeted phishing campaigns with OPEC (Oil Production Export Countries) and a COVID-19-based theme, where the malware is sent as an attachment, a macro-enabled Microsoft document (.DOC,.XLA\/.XLS,.PPT file format), Microsoft document add-on files (.XLL), or a compressed archive. According to LMNTRIX CDC&#8217;s observations, there were reports of over 8000 customers delivering files infected with Agent Tesla RAT as recently as 2021\/22.<\/p>\n\n\n<div class=\"wp-block-image is-resized\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"980\" height=\"541\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/1-23.webp\" alt=\"\" class=\"wp-image-1756\"\/><\/figure>\n<\/div>\n\n\n<p>This kind of email contains Microsoft Office documents (Excel) of .XLA\/.XLS files, but this sample uses the .PPAM extension, which contains VBA macros to execute and automate tasks. \u2018.PPAM\u2019 is an add-in file used by Microsoft PowerPoint where a program is used to develop slideshow presentations.<\/p>\n\n\n\n<p>It contains components that can provide additional functionality, including extra commands, customized macros, and new tools for extending default PowerPoint functions. Mainly, it supports \u201cadd-ins\u201d developed by third parties to add new features that attackers can abuse to automatically execute macros for further action on objectives.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Control Flow Diagram of Agent Tesla RAT (Version 3x)<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"549\" height=\"839\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-22.webp\" alt=\"\" class=\"wp-image-1757\"\/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p><strong>Infection Chain<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"325\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/3-21.webp\" alt=\"\" class=\"wp-image-1758\"\/><\/figure>\n\n\n\n<p>The initial vectors may vary depending on their targets and, it&#8217;s well known that the threat actors will perform basic reconnaissance methodologies before deciding on their method of infection.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Sample Information<\/strong><\/p>\n\n\n\n<p>PPT: 34c5d4ce20a550336303c0bdb5df78f6ed1727c3993e79e27d58f30ac5cbc055<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"218\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/4-21.webp\" alt=\"\" class=\"wp-image-1760\"\/><\/figure>\n\n\n\n<p><strong>File Metadata<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"757\" height=\"419\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/5-20.webp\" alt=\"\" class=\"wp-image-1761\"\/><\/figure>\n\n\n\n<p><strong>Technical Analysis of .PPAM Document<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"366\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/6-20.webp\" alt=\"\" class=\"wp-image-1762\"\/><\/figure>\n\n\n\n<p>When a user opens an office file containing macros, then the macros will execute from the Internet. We are well aware that the VBA macro is a common method for malicious actors to gain initial access to deploy malware. These files are based on the Office Open XML standard. This is an <a href=\"https:\/\/support.microsoft.com\/en-us\/office\/open-xml-formats-and-file-name-extensions-5200d93c-3449-4380-8e11-31ef14555b18\" target=\"_blank\" rel=\"noreferrer noopener\">XML-based file format introduced by Microsoft<\/a> that is unreadable with PowerPoint versions earlier than MS Office 2010\/2013. Now, we can extract &amp; view the contents of the file. The XML file format is human-readable or machine-readable and designed to transport data over the internet.<\/p>\n\n\n\n<p>The XML file format contains three categories:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Section one with Document Identification<\/li>\n\n\n\n<li>The Document Content<\/li>\n\n\n\n<li>Meta Data with fields and facets<\/li>\n<\/ul>\n\n\n\n<p><strong>Malware Persistence<\/strong><\/p>\n\n\n\n<p>Agent Tesla malware can achieve persistence by creating the following registry entries on Windows:<br>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<br>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run<\/p>\n\n\n\n<p>Agent Tesla can also create a scheduled task by using schtasks.exe to add and\/or modify the task schedule,<br>Process created: C:\\Windows\\System32\\schtasks.exe&#8221; \/Create \/TN &#8220;&#8221; \/XML &#8220;C:\\Users\\\\AppData\\Local\\Temp\\.tmp<\/p>\n\n\n\n<p><strong>VBA_ Dialog msgbox<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"940\" height=\"342\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/7-20.webp\" alt=\"\" class=\"wp-image-1763\"\/><\/figure>\n\n\n\n<p>Once the user successfully executes the macros, the above mentioned message box will be displayed. <\/p>\n\n\n\n<p>It can occur during the opening of the document, or, while closing the document. <\/p>\n\n\n\n<p>This is a simple and known method to evade detection rules. (i.e;) Auto_Open ()&nbsp; or Auto_Close () method.<\/p>\n\n\n\n<p><strong>File structure of the .PPAM file<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"370\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/8-16.webp\" alt=\"\" class=\"wp-image-1764\"\/><\/figure>\n\n\n\n<p>The folders shown above contain the base function of the process, which is used to initiate the VBA_Project macros. The VBA Project is where the modules and forms are stored when you write VBA code in Excel. Microsoft Forms is an Object Library Adding a reference to the Forms library, in-order to use the Forms library in a VBA project.<\/p>\n\n\n\n<p><strong>Temp files<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"352\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/9-14.webp\" alt=\"\" class=\"wp-image-1765\"\/><\/figure>\n\n\n\n<p>We all know that TEMP files (aka foo files) with the .TMP extension are temporary files that may be created by various software programs. It is typically generated while the program is running to temporarily store information, then is automatically deleted when the program is closed.<\/p>\n\n\n\n<p>The temp folder is a prime target for malware such as Agent Tesla. Recent strains malware are often attached to or embedded in legitimate programs to perform malicious actions.<\/p>\n\n\n\n<p><strong>VBA Project Content<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"439\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/10-13.webp\" alt=\"\" class=\"wp-image-1766\"\/><\/figure>\n\n\n\n<p><strong>Decoded Content<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"622\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/11-7.webp\" alt=\"\" class=\"wp-image-1767\"\/><\/figure>\n\n\n\n<p><strong>Command line for Powershell [.PS1] script<\/strong><\/p>\n\n\n\n<p>Once the macros are executed, using the powershell script, the malware invokes web requests from the domain shown above (bigXXXXet domain). Actually, the connecting domain is a legitimate website, but as we noticed the full URI of the website makes use believe it&#8217;s a phishing website.<\/p>\n\n\n\n<p>How is it done? As per the VBA_project code, the URI is formed and please refer the decoded content.z<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"112\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/12-6.webp\" alt=\"\" class=\"wp-image-1768\"\/><\/figure>\n\n\n\n<p><strong>Indicators of Compromise for Agent Tesla Sample<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>SHA256<\/td><\/tr><tr><td>a47fdea7d22e15007dca78175d2b62d0a88d745ab5e5ff8d6ad371366f676ddd<\/td><\/tr><tr><td>577af409d937659015fec1e5e48981c09cda84abc8a4705390904bac95a59fe3<\/td><\/tr><tr><td>56478080767f5507c7297a6d46b4ce6226a63e782050ee5e47bd102b747d006a<\/td><\/tr><tr><td>40eacf74e5f8d9b40c3a70ba66a6c30deee60c2843f94fe387ccb0dbb7a2cd59<\/td><\/tr><tr><td>23e455928e180012c11d6badfd0959df2fdb57f10d9ce564fe2834e59a67ea77<\/td><\/tr><tr><td>e3f7150d12f8307444828499346082247460fd350ea530f299d1c72f02f79404<\/td><\/tr><tr><td>0c49335c5d0b6ec74c37d319949f107c32b4b214094cb8a43498e01b45ac914d<\/td><\/tr><tr><td>c688588a8aa476d6803129466c7e30cc00a6b7de93b2a075b4c05d73e6478908<\/td><\/tr><tr><td>bf088d4fba9d3eb52931451176129bbe7ac4e36522eee4316fee8c76fb230ea0<\/td><\/tr><tr><td>319917e9a462c0df63b73515651cb2fb4410cef2d55a1f1e54ea58c9867a32f5<\/td><\/tr><tr><td>e4df172065976803c837e59f4036a3030f9e3c8594bc7c10bbee3649d10453d2<\/td><\/tr><tr><td>7f12e599786592ff2f1300213fb1349bef078589697ca483e4656ebc97533c9d<\/td><\/tr><tr><td>375debad2f10b83029639f0824e336c0ca81b617c665209f67ccf6f4cb88c9e4<\/td><\/tr><tr><td>65a4a789f106ee9731dfa6e4afe2f09b4db15170c6d925332dd20f97d1fbdf2c<\/td><\/tr><tr><td>44f3e7854ea6963412d6040957bfc7f8b753858abf9a0b84be9d8068463209ff<\/td><\/tr><tr><td>83bd1e1e6f20f8e17e71f89f2a0c0d283903de6a81198fae6d96d3a55144d395<\/td><\/tr><tr><td>6b4ae1bde5c68bdc96647dc1154eeea23eda290a970f8ddd9991a67337ab3689<\/td><\/tr><tr><td>df55c97ad5964486c9bfd99b7c977c96e3a6a44e3c9f8fcc12c481d4f779d06b<\/td><\/tr><tr><td>051e42d9f748a49794271b9e766284caba867ec60371c41d338b192cb44a9eaf<\/td><\/tr><tr><td>930001a1fabb96c66c6c995b48b17b3dfb8597c89f8a68947456b9700b974310<\/td><\/tr><tr><td>6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe<\/td><\/tr><tr><td>ebe062b6f50f9d654583a7e4e10bfeb6a1b548b31f1a6ddd0168816437edc227<\/td><\/tr><tr><td>5429b2d7a20873db5dde39b1a2d3f202751ac3c732c02a4003a07d53b52d0d54<\/td><\/tr><tr><td>7ca99db4bd0190e141d3fd718f772fde1098131cdf5aee025d17eeb7c607a2ce<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Preventive Measures for Agent Tesla RAT<\/strong><\/p>\n\n\n\n<p>Recent updates from MSRC Security blog, suggests that users can block the execution of MS Office macros in files which are obtained from the Internet, or from an unknown source.<\/p>\n\n\n\n<p>If you don&#8217;t use the &#8220;Block macros from running in Office files from the Internet&#8221; policy, you can use the &#8220;VBA Macro Notification Settings&#8221; policy to manage how macros are handled by Office. This policy prevents users from being lured into enabling malicious macros.<\/p>\n\n\n\n<p>For more information, please check \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/deployoffice\/security\/internet-macros-blocked\" target=\"_blank\" rel=\"noreferrer noopener\">Macros from the internet will be blocked by default in Office<\/a>\u201d from MSDN.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the previous post, we saw how the Agent Tesla malware has infected its victims by using the PS1 Powershell script to invoke the web request from the blacklisted IPs. Agent Tesla&rsquo;s successful delivery method is through email, either in the form of spam or more targeted phishing campaigns with OPEC (Oil Production Export Countries) [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1763,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1751","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1751"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1751\/revisions"}],"predecessor-version":[{"id":4144,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1751\/revisions\/4144"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1763"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}