REMCOS and Agent Tesla loaded into memory with Rezer0 loader

An Italian government email has been targeted by a phishing campaign. The attack’s goal aimed to install some remote control and information-stealing tool.


What’s happened

During the last month, Telsy encountered a new phishing campaign, with banking and payment lure, targeting email of Italian government (* and companies of some industries.

The threat actor’s goal was to install Remcos –a remote control tool– or Agent Tesla –information-stealing Trojan- on the victims’ computers.

The attackers initially sent fake emails that appeared to be from several legitimate companies or in some cases from emails compromise.

Moreover, some binaries were hosted on compromised web sites.


Remcos and Agent Tesla

Remcos (acronym of Remote Control & Surveillance Software) is a Remote Access Software used to remotely control computers, developed and distributed by an organization called Breaking Security.

Once installed, Remcos opens a backdoor on the computer, granting full access to the remote user.

It can be used for surveillance and penetration testing purposes, and in some instances has been used in hacking campaigns.

Since it first appeared on the market, Remcos has gained popularity among cyber-attackers and even made it into the arsenal of APT actors like the Gorgon Group.

Agent Tesla is an extremely popular “malware-as-a-service” RAT -an information-stealing Trojan- used to steal information such as credentials, keystrokes, clipboard data, and other information from its operators’ targets.

Most commonly delivered via phishing campaigns, Agent Tesla has been deployed in several iterations since it first appeared around 2014.

It’s in active development, constantly being updated and improved with new features, obfuscation, and encryption methods, also used by the APT SilverTerrier group.


The findings

In the attack we observed, the malware used several evasion techniques to ensure its success. Among the most interesting are the following:

Mapping DLLs into the address space and resolving functions in the mapped file instead of the conventional LoadLibrary + GetProcAddress function calls;

Multiple layers of code injection to hide malicious actions behind seemingly legitimate processes;

Anti-reverse-engineering tricks to force a human malware analyst to spend more time on the sample.

In some cases the emails contain an archive with an executable inside while in others a document (RTF) that releases an executable.

All executables are written in dotNET and have multiple stages where the payload, usually a DLL, is loaded from the resources.

All emails belong to the same phishing campaign as the malicious executables were hosted by the same compromised website, and all have the same infection chain.

In fact, all malicious executables load and run the same library in memory, called SafeLSAPolicy.dll.

The latter has the task of loading into memory a library called Uint16.dll which has the purpose of performing the actual final stage.


Click the link below to download the full report


Check other cyber reports on our blog.

This report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which allows to analyze and stay updated on adversaries and threats that could impact customers’ business.