Threat Intel Digest

May 2020

Escalating Power

Logging into a person computer as a regular user makes it harder for malware to make changes to the computer, such as infecting critical files used by the operating system.

Nevertheless malware often finds a way to escalate its privilege to system-level access, so it can access your critical files and resources. It can exploit a vulnerability, or it can prompt you to allow a program to make changes to your computer. User access control, also called UAC, is a feature in Windows that ensures an application is using a limited user privilege. A malware or an application can trigger this feature if it needs a higher level of access. A prompt saying, “Do you want to allow the following program to make changes to this computer?” will pop up and require you to respond yes or no. Most of the time, we blindly click “Yes”. Some keen users will suspect something is wrong if this prompt suddenly appears out of nowhere. A clever malware will find a way to bypass UAC. Fortunately, there are also ways to make sure that UAC prompts you based on different scenarios. Commonly, it doesn’t matter if you are being prompted or not. Most of the time, the power lies in the hands of whoever is using the computer.


New Tesla But Not a Car

Tesla malware, sometimes called Agent Tesla, is a spyware, a keylogger, and a Trojan that steals information. A new variant of Agent Tesla is stealing credentials of more than 60 applications in the infected Windows machine.

The malware, an AutoIt executable, arrives as an attachment to a phishing email. The malware is heavily obfuscated and also uses a code injection technique to execute most of its functions. This new Agent Tesla malware has several functions, and each function is designed to steal credentials for specific applications, such as Chrome, Firefox, and so on. The malware steals credentials from over 60 applications, such as internet browsers, email clients, VPN applications, and download managers. It also looks into the registry keys to scour for more credentials. Finally, it sends this information via email to the malware author’s inbox by using SMTP protocol. At the end of the day, always be aware of phishing emails that come your way — they may end up stealing all your secrets.


Old-style Macro for a New Tax Season

Macro malware are still roaming around, even with stay-at-home orders in place. A Microsoft Excel 4.0 macro, an old-style-macro, has not been following social distancing rules and has been infecting computers during this tax season.

A legacy macro malware embedded in a fake IRS form in Excel format tries to infect unsuspecting users. Once the malicious macro is executed, it initiates a series of downloading events, until it downloads the main malware, a new NetWire variant. Netwire is a keylogger that can capture a screenshot of the infected machine, and is capable of stealing credentials. During this tax season, the main goal of this malware is to steal your tax information, your bank account details, and everything you typed on your computer. If you are staying home, be wary of emails and attachments that look like they come from your country’s tax agency. Social distance yourself from phishing emails and stay safe.