Emerging Threats

ThreatLabz September 2022 Report: The inconvenient truth about VPNs, updated Agent Tesla RAT campaign, Ares banking Trojan “new” DGA, Prynt Stealer double-dealing, and Crytox ransomware dissected.

Oct 07, 2022
ThreatLabz September 2022 Report

ThreatLabz recently tracked significant developments in an Agent Tesla RAT campaign, examined an Ares Banking Trojan update, caught Prynt Stealer double-dealing, and put Crytox ransomware under the microscope. But first up, the findings from a survey conducted over the summer to identify the latest enterprise adoption trends, challenges, gaps, and solution preferences related to VPN risk.

The 2022 VPN Risk Report

Despite several high-profile breaches and ransomware attacks, VPNs remain one of the weakest links in cybersecurity despite their popularity. Threat actors exploit their architecture deficiencies to gain an entry point and move laterally across corporate IT infrastructure to steal data. A new report commissioned by Zscaler analyzes the state of the remote access environment, the most prevalent VPN risks, and the growth in the adoption of zero trust. The key takeaway is that organizations must use a zero trust architecture to safeguard against the evolving threat landscape. Unlike a VPN, ZTA does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimizes the attack surface, and delivers full TLS inspection to prevent compromise and data loss.

Figure 1: Responses from 351 cybersecurity professionals asked, “How concerned are you that VPN may jeopardize your ability to keep your environment secure?”  

Key findings of the report include:

  • 44% witnessed an increase in exploits targeting their VPN since adopting remote work
  • 65% of companies are considering adopting VPN alternatives
  • 68% say their focus on remote work accelerated the priority of zero trust projects, up from 59% in 2021
  • 78% of organizations are concerned about ransomware attacks
  • 80% of companies are in the process of adopting zero trust in 2022

Utilize fresh insights into the state of remote access and VPNs, their vulnerabilities, and why more than 80% of surveyed companies are planning on implementing a zero trust model.

Download the 2022 VPN Risk Report by Cybersecurity Insiders 

Read the press release

Quantum Builder boosts Agent Tesla RAT attacks

ThreatLabz has discovered a new tool being used to launch Agent Tesla RAT attacks. Quantum Builder, which creates malicious Windows shortcut (.lnk) files, delivers Agent Tesla RATs through a multi staged infection chain. Agent Tesla, first encountered in 2014, is a .NET-based keylogger that shares some attributes and code-overlap with the Lazarus threat group. However, there is insufficient evidence to link these most recent attacks with Lazarus. 

Figure 2: Quantum Builder/Agent Tesla infection Chain by ThreatLabz

The current Agent Tesla campaign relies on Quantum Builder to generate malicious LNK, HTA, and PowerShell scripts to deliver payloads on targeted machines. It also leverages advanced techniques, including:

  • User Account Control Bypass using the Microsoft Connection Manager Profile Installer (CMSTP) binary to execute the final payload with administrative privileges and to perform Windows Defender Exclusions
  • Utilizing a Multi-Staged Infection Chain integrating various attack vectors involving LOLBins (living-off-the-land binaries)
  • Execution of PowerShell scripts in-memory to evade detection
  • Execution of decoys to distract the victims post-infection.

In addition, these attacks use LOLBins to obfuscate malicious activity and evade detection. It also uses decoys, UAC prompts, and in-memory PowerShell scripts to execute the final payload.

Take an in-depth look at the new Agent Tesla attacks

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox, Advanced Cloud Firewall.

Ares banking Trojan resurrects Qakbot DGA

ThreatLabz has been actively tracking the Ares banking Trojan, which emerged in February 2021. After remaining largely inactive between March and June of this year, a new version of this threat was released in August. The updated Ares Trojan contains a domain generation algorithm (DGA) that is surprisingly similar to an older one used by Qakbot.


Figure 3: Code comparison between the DGAs of Ares and Qakbot by ThreatLabz

This new DGA can provide backup when Ares’ primary C2 communication is unreachable. The algorithm uses a hardcoded seed and the current date, which is obtained through the daytime protocol. It can generate 50 domains per interval, which translates to 150 per month.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.

Read more about Ares, the Trojan currently attacking Mexico

Prynt Stealer heists info from fellow thieves 

Prynt Stealer is no stranger to theft, having borrowed its codebase from two open-source projects, AsyncRAT and StormKitty. The malware’s primary purpose is to capture credentials stored on web browsers, VPN/FTP clients, gaming applications, and other compromised systems. However, ThreatLabz discovered a backdoor in Prynt Stealer that allows its author to siphon the information stolen by other adversaries who deploy the malware. The malware backdoor sends the stolen information to a Telegram channel controlled by the author.

Figure 4: Prynt Stealer builder backdoor execution and infection flow by ThreatLabz

In addition, ThreatLabz identified two Prynt Stealer variants that strongly resemble the original, WorldWind and DarkEye. All three malware appear to have been written by the same author. PryntStealer has the most name-recognition of these malware, but WorldWind payloads are encountered five times more often in the wild. DarkEye is not mentioned publicly but is included as a backdoor in the free version of the Prynt Stealer builder.  

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.

More details on Prynt Stealer distribution and backdoor trickery

Technical Analysis of Crytox Ransomware

Crytox ransomware, which employs several stages of encryption, has been active since 2020. Unlike many contemporary ransomware families, Crytox does not perform double extortion by exfiltrating data and holding it for ransom. It does, however, drop uTox messenger on the victim’s machine to facilitate negotiations and communications with the threat actor. 

Figure 5: Process flow chart for Crytox encryption by ThreatLabz

Crytox uses AES-CBC encryption, creating a 256-bit key per file. This key is protected by an RSA key that is locally generated. With particularly large files, only the first 1,048,576 (0x100000) bytes are encrypted. Partially encrypting files speeds up the attack process while still rendering files useless to the victim, a tactic becoming increasingly popular with ransomware groups. Fortunately, Crytox encryption is weak and can be broken by a known brute force attack method.

Dive into the details of Crytox 

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.


About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next: 

X-FILES Stealer Evolution - An Analysis and Comparison Study

Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals

The 2022 ThreatLabz State of Ransomware Report