Attackers Deliver 'AgentTesla' Keylogger Through Cybersquatted Domains, Zscaler Finds

Security researchers from Zscaler’s Threatlabz discovered that a commercial keylogger called “AgentTesla” was being delivered through cybersquatted domains (purchased domains that include names belonging to known companies). The keylogger is used to steal sensitive information such as passwords from the operating system’s clipboard or from browsers’ local storage.

The cybersquatted domain was “diodetechs.com,” and it was trying to imitate diodetech.com, which is the website of a consulting firm offering services to enterprise customers. Zscaler said it already notified Diodetech earlier this month, and the cybersquatted domain has been suspended.

The AgentTesla keylogger, which can extract information from clipboards, browsers, and by screen capturing, was written in .NET, and it works on all versions of Windows. The attackers would send an infected Word document over email to the potential victims. Then, when the targets would enable macros in the document “so they can view it” (a trick often used by phishers), the script would download and install the keylogger.

The AgentTesla keylogger is downloaded from "diodetechs.com/bless/cc.exe" and then executed from the “%temp%\cc.exe” location on users' PCs. It also makes a copy of itself as “JavaUpdtr.exe” in the “%Application Data%\Java\” directory. This way it can pretend to be a Java updater. A registry entry is created as well, so it can remain persistent after a reboot at the following location: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run @ Java Updtr.

After all of that, the keylogger injects itself in an MSBuild.exe process where it can start its keylogging activities. The attackers would also use legitimate password recovery tools such as IEPasswordDump and MailPassView to steal user credentials from Internet Explorer and Microsoft Outlook.

The information collected by the keylogger is saved at “%temp%\log.tmp” in plain-text, and the screenshots are saved in folder “%appdata%\ScreenShot\”. Then all of it is sent to the command-and-control server every 20 minutes.

Zscaler said that it first learned about the keylogger when it landed in a customer’s cloud sandbox and was flagged for review. Upon further analysis, the company learned about the attackers’ cybersquatting tactics that were used to deliver the malware. Zscaler said that it will continue to look out for this malware and ensure protection against it with the company’s own cloud security products.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.