1. Introduction

Since the early days of cybercrime, malware creation, distribution, command, and control have been challenging for all threat actors. However, in recent years, we have seen the emergence of different groups that have prepared each part of the attack chain for their business. Thus, a new line of business emerged, and modern malware distribution began to be dominated by initial access brokers (IABs) and their Malware-as-a-Service (MaaS) tools. IABs can simultaneously sell these access points to multiple groups by exploiting various vulnerabilities, using zero-day exploits, setting up phishing services, or releasing fake software online. At this stage, instead of writing their attack arsenals, the actors involved often purchase pre-written malware services or use leaked malware projects.

The story of Agent Tesla began in 2014 precisely due to this need. Agent Tesla is a . NET-based remote access trojan (RAT) and data stealer often used for MaaS. Gaining initial access to systems such as the IABs' first-stage malware allows for downloading more sophisticated second-stage tools. Over the years, various versions and variants of the widely popular Agent Tesla stealer have emerged, including the 2018 release of a new version called Origin Logger (also known as AgentTeslav3). During the 2020 pandemic, a new variant and its derivatives experienced a significant increase in popularity, maintaining their prevalence until 2023, when they entered a dormant period. Currently, the Origin Logger team and developers primarily target the accounting, manufacturing, insurance, marketing, and tourism sectors in Germany, Poland, Türkiye, Spain, Romania, Lithuania, and the UK with automated business email compromise (BEC) attacks. Once infected, they exfiltrate valuable credentials through SMTP, FTP, or Telegram channels.

Recent research by the Malwation Threat Research (MTR) team has focused on BEC attacks targeting the company's employees. By tracing the IOCs of the executed attacks and pivoting the information, the MTR team was able to identify the developers behind Agent Tesla and Origin Logger and expose their methods. During their investigation, the MTR team discovered that the current Origin Logger variants use the open-source ConfuserEx 2 obfuscator project, which was then analyzed using the team's Chiron automated deobfuscator and unpacker tool.

‍This TLP:CLEAR report will cover the evolution of Agent Tesla since 2014 and how the development team created and evolved Agent Tesla and Origin Logger. Additionally, we will share the ConfuserEx 2 deobfuscator and unpacker project (Chiron [1]) developed by the MTR team, shedding light on Origin Logger (AgentTeslav3), an essential member of the MaaS ecosystem. In light of the developers' announcement that they will retire the Origin Logger service as of 1 July 2024, it has been decided to publish all details regarding the developers and their activities.

‍

‍

2. Analysis

2.1. Background

2.1.1. Agent Tesla

Agent Tesla is a remote access trojan (RAT) written in .NET and has been affecting Microsoft Windows systems since 2014. When it was first released, it became very popular with its free-of-charge features like stealing sensitive information (user's browser, passwords, FTP, files), keylogging, downloading additional payloads, and screenshot capture. The initial purpose of Agent Tesla, as far as its developers say, was to monitor the employees' devices and to carry out work follow-ups. Still, a few months after the first variant, the product has become paid and is now being sold. After the start of the sale, it has received continuous updates until today. With the team's initial sales policy, it became a malware-as-a-service (MaaS) model and was sold with various subscription models.

A high proportion of Agent Tesla affiliates use the spam and BEC capabilities included in the product to conduct phishing campaigns for the first infection chain, usually through legitimate e-mails sent from trusted sources. The fact that the team put the product on sale and added spam e-mail capabilities is due to their adaptation to the changing cybercrime market as of 2014. The team that developed Agent Tesla started making the first sales of agenttesla[.]wordpress[.]com in 2014 and took the first steps of this substantial MaaS structure they will create. As can be seen in Figure 2, since the first sales made by the team, it can be seen that all shares have been made by Turkish-speaking actors. 

Analyst Note:Malware-as-a-Service (MaaS) is a business model where cybercriminals develop and sell or lease malware to other attackers or clients, similar to legitimate Software-as-a-Service (SaaS) models. MaaS allows individuals with limited technical skills to launch sophisticated cyberattacks by outsourcing malware development, maintenance, and distribution to specialized developers.

Just before the first sales, the team started to share the first versions of the product with users for free on underground forums under the headings '[FUD][FREE] Agent Tesla [Keylogger] [ClipboardLogger] [On-Screen Keyboard Logger]' and the product became well known. User victim logs, including the first and free versions of Agent Tesla (Figure 4), can be sent to the affiliate's e-mail address via SMTP, and the builder can create fully undetectable (FUD) files every time a new build is purchased. 

The team realized that the MaaS model was catching on and being bought by everyone. On 24 October 2014, the Agent Tesla team updated their domain address and switched to agenttesla[.]com. Although the team only changed the price and package of the product, it has been involved in a market that will make it so widespread until today. Nowadays, malware and attack methods have become a business and everyone purchases these applications. As a result, new threat actors or experienced ones have turned to such MaaS structures instead of keeping their malware up-to-date and undetectable. 

The team has announced that they will now be able to provide 24/7 live support via Discord from this newly created domain and a disclaimer with some restrictions on the use and distribution of the malware. 'Agent Tesla is not a malware. Please, don't use computers without access permission.'. However, despite this disclaimer, many malware campaigns and attacks have involved Agent Tesla developers since 2014.

Agent Tesla's popularity and visibility peaked in August 2018, when it was mentioned in many attacks, and the increase in attacks became visible. On 4 March 2019, Agent Tesla sales domains were shut down and their content was taken down because of takedown operation issues involving the team. Messages posted on Agent Tesla's Discord servers on this date ("If you want to see a powerful software like Agent Tesla, we would like to suggest OriginLogger. OriginLogger is an AT-based software and has all the features."), the team started selling the new RAT, which they now call Origin Logger. [4]

Contrary to all these known facts, no report on the origin logger variant has been published until the beginning of 2021. As of 2021, some research has started to be published by researchers who have begun to analyze AgentTesla v3.  OriginLogger is a variant of Agent Tesla as such the majority of tools and detections for Agent Tesla will still trigger on OriginLogger samples. The main reason for this incorrect attribution is that all OriginLogger variants are now written on the source code of Agent Tesla, and the so-called v3 versions can now remove the connection from the Tor network and transmit victim information via telegram. Today, OriginLogger variants are still called AgentTesla v3.

2.1.2. Origin Logger

OriginLogger (also known as AgentTeslav3, Negasteal, ZPAQ) is RAT malware originally developed by Agent Tesla's developers in 2018 to create a new business while Agent Tesla's developments were ongoing. The first findings of OriginLogger can be traced on the changelog with the start of sales on the originpro[.]me domain opened by the same developers: '2018-08-29 07:21:47 OriginLogger—V1.0.0.0 OriginLogger released.' 2018 is known as the year. 

Truth!!: The first developments and trials of OriginLogger can be seen in a YouTube [https://www.youtube.com/watch?v=o-MDujYrtto] video called ‘Origin logger’, which appeared just before the Agent Tesla market was closed in 2018. The video posted on 04.11.2018 showed that the website was newly built, there was no changelog, and the first test victim in the dashboard was dated 19.08.2018. OriginLogger malware was developed entirely after AgentTesla v2 with additions to the same code base. To continue sales, the team added each new update to the changelogs under the new sales domains of the malware. Since its creation, four different domains directly related to the OriginLogger malware have been identified.

‍

2.1.2.1. Building an OriginLogger

Before analyzing OriginLogger malware and how it works, it would be more beneficial to examine the OriginLogger build files, which were leaked for the first time on 06 September 2022, to understand the malware. Figure 9 shows the steps by which the malware panel is accessed, and the malware configurations are set when a service is obtained from a MaaS service. 

The image above illustrates the process of building malware. During this process, the settings.ini file contains essential configurations, while the profile.origin file is significant as it stores the email and password needed for the user who purchased the malware to log in. From the settings page, we can see several options. Once the malware is executed, the method of data exfiltration can be configured (options include HTTP, Telegram, SMTP, and FTP). There's also an option to route the malware's internet traffic anonymously through the Tor network.

Additionally, users can specify various settings, such as the number of screenshots the malware will capture per second, whether to collect the victim's IP address, and whether to activate the keylogger. After all these configurations are set, the malware is built and prepared for the distribution network. 

2.2. Malware Distribution

The main story of our Malwation Threat Research team's investigation into this malware started with a phishing email sent as a reply in an email chain, to one of our employees. The email, which was forwarded by threat actors to an employee in our sales team, contains a link disguised as a fake PDF file with a download link to Mediafire (mediafire[.]com) by replying to an email that has been previously discussed. If the victim user clicks on the link and is exposed to the attack, the next step is to download an archived file from Mediafire. All such spam emails, sent by replying to legitimate and known correspondence or from trusted sources, are considered business email compromise (BEC) attacks.

Due to the nature of BEC, the user is reflexively exposed to different fraud methods, such as clicking on a link from a trusted account, downloading a file in an attachment, or sending money to altered IBAN addresses. Still, in this OriginLogger attack, which was automated to increase credibility, it was observed that the file names were changed after obtaining the country information of the targeted person. At the same time, by receiving the sender, and registered contact information of all email accounts that belong to a victim user, spam email can be sent to all connected people, from the same account, thus increasing the impact of the attack.  In other words, the emails of the compromised users are automatically forwarded to all contacts with new malicious links determined by the threat actor. When we look at the attack campaigns depending on the malicious names used, it is seen that words commonly used in manufacturing, tourism, and accounting (Confirmare de plată | Payment Confirmation | | Zahlungsbenachrichtigung) in Germany, Poland, Türkiye, Spain, Romania, Lithuania, and UK preferred. It has been observed that the malicious files of the threat actors, who upload to Mediafire with different file names in the new campaign every day and forward each file to the emails in the lists in the detected language and region, have a download statistic of +10k per day. 

‍

Note: Due to the MaaS structure of OriginLogger and all similar RAT-Trojan malware families, the types and methods of attacks depend on the affiliate who purchased the malware. Although spam campaigns using a particular malware family are usually attributed to the malware itself, the attacks described here have been identified as being carried out by OriginLogger developers with moderate confidence.

When the victim clicks on the archive file on Mediafire, the device downloads a gzip (.tgz files) compressed file with a file size between 1.1MB and 1.6 MB. When the downloaded files are extracted from the archive, a bloated executable file is created using 0 bytes added to the end of the original file to bypass antivirus and online sandboxes with large file sizes. 

As can be seen in Figure 11, the original payload is only about 1MB in 732MB. However, when we remove the zero bytes from the bloated file (debloating), all that's left is the OriginLogger malware that got through the Cassandra Protector.

2.3. Chiron Automated Unpacker

2.3.1. Cassandra Protector

Cassandra Protector, designed exclusively for .NET samples, offers a range of features as advertised on its sales site:

• Customizable injection methods
• Configurable persistence techniques
• Anti-Virus & Emulation evasion tactics
• Execution delay options
• Certificate-based protection signing
• Icon customization
• User-defined pop-up message boxes
• Customizable Assembly attributes
• Downloader creation and execution capabilities

Additionally, Cassandra Protector empowers users to:

• Select files for post-launch download and/or execution
• Set custom sleep intervals before continuing execution
• Deploy fake message boxes for misdirection

Additionally, Cassandra Protector empowers users to:

• Select files for post-launch download and/or execution
• Set custom sleep intervals before continuing execution
• Deploy fake message boxes for misdirection
  

The malware developers recommend using Cassandra Protector in all versions of Origin Logger. The reason behind this is that on October 1, 2018, at 10:33 PM, when the first sales posts of Cassandra Protector were released, the team developing OriginLogger noticed these posts on an underground forum and wanted to examine the software as it caught their attention. After their review, it was observed that the team developing the malware began recommending this protector everywhere.

2.3.2. Chiron Unpacker

The packer used in OriginLogger works by loading executable .NET applications into memory with the function Assembly.Load(byte[] rawAssembly) and continue the process. This function is run over and over again, exhibiting a matryoshka-like behavior. 

‍

After all memory loading operations are finished, the last file (Tyrone) saves a unique resource in a different directory. It runs it after decrypting RC4 with a value set specific to the file.

It uses ConfuserEx2's Constant Protection algorithm to protect the string expressions in the file (Tyrone) it uploads at the last stage.

Chiron Unpacker [1] was created to automate the unpacking process for all packers working this way. Chiron Unpacker creates a special AppDomain and handles the Assembly.Load calls in this AppDomain. This allows us to handle all executable .NET applications loaded into memory after loading them.

When it is run on the OriginLogger sample named “o.exe” using the ResourceUnpack feature, the following operations are performed respectively:

1. Creates a custom AppDomain that controls Assembly.Load events.
2. Controls ProcessExit events in the main AppDomain (at this stage, if the ResourceUnpack feature is activated, the next stage is started).
3. Runs the given file inside the created custom AppDomain.

The packer used in Origin Logger does not load the file that will exhibit malicious behavior in its final stage directly into memory but saves it in non-volatile memory. Therefore, Chiron Unpacker dynamically detects the RC4 key (dynamic decryption of ConfuserEx2’s constant encryption feature) and resource name, completing the unpacking process. The ResourceUnpack process does the following respectively:

1. Find the function that contains the RC4 Decryption algorithm.
2. Finds where the RC4 algorithm is used (x-ref).
3. Finds the parameter values sent as arguments to this function (resource and RC4 key)
4. Saves the resource and performs RC4 decryption with the dynamically extracted RC4 key.

When Chiron is run, it prints the loaded modules and the details of the ResourceUnpack operation on the screen.

Before Chiron, we could only see the file that did the unpacking. In this file, we see nothing about the configuration of the malware (C2 panel, features, etc.):

In the final file saved after Chiron's process, we can see the configurations related to the malware:

All these infection stages, which have been clarified as a result of the research, are seen in the recent attacks of the Origin Logger infection chain, as shown in Figure 21 below.

2.4. De-anonymization & Statistics

As the MTR team, after the BEC spam e-mails sent to our employees, we shared the OriginLogger developers and all of their activities, including the team's OPSEC errors, with the article after the team announced that they were entirely out of business as of 1 July 2024. Since 2014, after the Agent Tesla team, which has been writing one of the top ten RATs all over the world, has caught moderate confidence level connections after all de-anonymization processes, it has been observed that many types of research related to this group have been shared in the researches our team has done. First of all, although some of the findings mentioned in this section have also been detected in research carried out by some researchers in the past, for example, 'Who is Agent Tesla?' written by Brian Krebs in 2018 [2], and "The Origin of OriginLogger & Agent Tesla" [5] by Jeff White, as a result of pivoting the information Malwation Threat Research Team has identified about the group, the real identities of the people behind the team and the team that developed OriginLogger could be reached.

The real identities of the threat actors have been identified, and it is observed that they continue to carry out BEC attacks through the panels they continue to use even though they have closed their sales. The actors announced their retirement as of 1 July 2024 and stated that there will be no new versions. In their statement, they state that they are now ending the project they have been developing for 10 years (the same as the development date of AgentTesla).

Despite the assertion by the threat actors that they have ceased operations by shutting down the systems mentioned above, they have continued their BEC attacks by implementing country-based campaigns, explicitly targeting Germany, Poland, Türkiye, Spain, Romania, Lithuania, and the UK. In their attack campaigns, the team that developed Origin Logger has been found to have captured more than 2,200 victim users (none of them end-users) and more than 100,000 credentials between 2023 and 2024. The actors persist in uploading at least two distinct country-specific malware samples to MediaFire daily, initiating a new campaign. This has resulted in the generation of a considerable number of IOCs.

Due to the TLP:CLEAR restrictions, the developers' true identities are removed from the report. For the TLP:RED report and details, please contact Malwation Threat Research (info@malwation.com).

3. Conclusion

The increase in the number of threats today has led to the emergence of such systems as we discussed in this article that most threat actors can easily access and use. At the same time, it has become necessary to analyze how these threats work, to develop threat analysis systems, and to drain the threat swamp by revealing the true identities of the threat actors. The Origin Logger malware, which usually appears as a commercial keylogger product, has reached a level that can be described as top 10 in the world, and the announcement of its retirement gives us essential clues to anticipate future threats and establish a link between various groups. The Origin Logger malware, the last known variant of the Agent Tesla malware, has been exposed for its code similarities, its tactics, and its developers' OPSEC failure. Due to the aforementioned connections the group has announced its retirement on 1 July 2024.

There is a great deal of confidence that once IOCs are gathered from the evidence of any threat or attack attempt, a direct and complete interdiction is achieved. However, in an actual threat intelligence cycle, only a few people work on identifying and destroying the primary source of the threat, another element that enables decision-makers to make strategic decisions and gain insights. As a result, the IOC data obtained as a basis in threat intelligence studies must be pivoted, and proactive intelligence studies should be carried out to reach the threat actors behind the computer. Only and only as a result of such a study will the decision-maker know how to produce the right intelligence. This report shows that Origin Logger threat actors compromise new business email accounts daily, generating a new naming and malicious file specific to each attack campaign. Real-time threat intelligence cannot be provided by simply sharing the IOCs.

IOCs

Please visit [6] for all IOCs.

‍

‍

References

1-https://github.com/Malwation/Chiron-Unpacker 

2- https://krebsonsecurity.com/2018/10/who-is-agent-tesla/

3- https://www.zscaler.com/blogs/security-research/agent-tesla-keylogger-delivered-using-cybersquatting 

4- https://unit42.paloaltonetworks.com/originlogger/

5- http://ropgadget.com/posts/originlogger.html

6- https://github.com/Malwation/malware-ioc/tree/main/originlogger 

‍