This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented in the Small Talks room at 14:00 on Friday 4 October.
Berk Albayrak & Utku Çorbacı (Malwation)
Since the early days of cybercrime, the creation, distribution and command and control of malware has been a challenge for all threat actors. However, in today's attacks, we see the emergence of different groups that have made each part of the attack chain their business. Thus a new line of business emerged and modern malware distribution began to be dominated by initial access brokers (IABs) and their Malware-as-a-Service (MaaS) tools. IABs can sell these access points to multiple groups simultaneously by exploiting various vulnerabilities, using zero-day exploits, setting up phishing services, or releasing fake software online. At this stage, instead of writing their trojans, the actors involved often purchase pre-written malware services.
The story of Agent Tesla began in 2014, precisely due to this need. Agent Tesla is a .NET-based remote access trojan (RAT) and data stealer often used for MaaS. After gaining initial access to systems such as the IABs' first-stage malware, it allows for the download of more sophisticated second-stage tools. Over the years, various versions and variants of the widely popular Agent Tesla stealer have emerged, including the 2018 release of a new version called Origin Logger (also known as AgentTeslav3). During the 2020 pandemic, a new variant and its derivatives experienced a significant increase in popularity, maintaining their prevalence until 2023 when they entered a dormant period. Currently, the Origin Logger team and developers are primarily targeting the accounting, industrial, marketing and tourism sectors in Turkey, Poland, Germany and the UK with automated business email compromise (BEC) attacks. Once infected, they exfiltrate valuable credentials through SMTP, FTP or Telegram channels.
Recent research by the Malwation Threat Research (MTR) team has focused on BEC attacks targeting the company's employees. By tracing the IOCs of the executed attacks and pivoting the information, the MTR team was able to identify the developers behind Agent Tesla and Origin Logger and expose their methods. During their investigation, the MTR team discovered that the current Origin Logger variant uses the open source ConfuserEx 2 obfuscator, which was then analysed using the team's Chiron automated deobfuscator and unpacker tool.
This presentation will cover the evolution of Agent Tesla since 2014, how the development team created and evolved Agent Tesla and Origin Logger, and the true identities of the developers. Additionally, we will share the ConfuserEx 2 deobfuscator and unpacker project (Chiron) developed by the MTR team, shedding light on Origin Logger (AgentTeslav3), an important member of the MaaS ecosystem. In light of the developers' announcement that they will retire the Origin Logger service as of 1 July 2024, it has been decided to publish all details regarding the developers and their activities.
 |
Berk Albayrak Berk Albayrak works as a threat research team lead at Malwation. Throughout his career, Berk has carried out many different operations against malware/APT groups. Therewithal he discovered and reported multiple threat actors and their TTPs to the law enforcement authorities. His current role is to identify and report new critical threats and threat groups. Currently, he devotes his time to investigating threat groups and their prevention.
|
 |
Utku Çorbacı Utku Çorbacı works as a security R&D engineer at Malwation. Throughout his career, Utku has worked on .NET reversing, malware analysis and emulation technologies. Currently, he continues to support the community with his open-source projects and blog posts. He is continuing his education at Yildiz Technical University. |
Back to VB2024 conference page