XAMPP Hosts are Employed to Distribute Agent Tesla


RiskIQ's research team has evaluated the familiar fingerprints campaign in dangerous infrastructure from famous malware families. Their examination of Agent Tesla infrastructure leads them to discover the employment of web solution stack installations for XAMPP Web Server. They examine these identified campaigns using their Internet Intelligence Graph. 

The most recent investigation depicts a new insight into the ecosystem of Agent Tesla, the TTP its operatives utilize, and how RiskIQ users potentially can use the XAMPP web component to identify hosts that transmit malware and investigate other possibly harmful infrastructures. 

XAMPP is an open-source web server solution stack package produced by Apache Friends, composed primarily of Apache HTTP Server, MariaDB database, and script interpreters created in the PHP and Perl programming languages. XAMPP is a free server solution stack. As the majority of current web server operations employ the same components as XAMPP, it makes it feasible to move from a local test server to a live server. 

Neither the XAMPP is malevolent nor the hosts employing XAMPPA are always hostile. Everything which makes XAMPP useful for developers also provides an excellent tool for actors who threaten them and some malicious sites are using XAMPP to disseminate malware. 

The web component of XAMPP obtained by the Internet Intelligence Graph of RiskIQ demonstrates that there are numerous XAMPP Internet-faced servers despite developing XAMPP without an internet connection. 

For their March 2021 post about, Exploring Agent Tesla infrastructure, researchers first detected the use of XAMPP for malware propagation during the analysis of the Agent Tesla infrastructure. The Agent Tesla infrastructure, with the same MariaDB, Apache, and PHP Web service stack, was then detected – all with open SMBs sometimes with FTP or SMTP services. 

Agent Tesla is indeed a renowned "malware-as-a-service" RAT for stealing passwords, keystrokes, clipboard data as well as other important information. It is typically transmitted through phishing attempts since it initially surfaced around 2014 and was replicated several times. 

They could recognize hosts with this particular web service stack with the XAMPP web component of RiskIQ. Researchers would then detect malicious infrastructure and trends in that infrastructure using these hosts in conjunction with other data sources. 

An IP hosting Agent Tesla and a WBK file, a restorable file by Microsoft Word, are included within one instance. A link to the Hybrid Analysis Report in the related hashes list of the IP is provided for the file which initiates a GET request in a WBK file, and for another file to install a Tesla Agent file with a variety of commands and control (C2) domains. In many other instances, attackers' IPs utilized Agent Tesla, using a malicious XLSX document communicating with the IP to install the Agent Tesla file, which was subsequently renamed. Another IP attacker hosts harmful files and sends phishing emails to implant malware such as SnakeKeylogger or QuasarRAT. 

Evidence indicates that the attacker has installed XAMPP on hosts owned by the provider dynamic DNS[.]org that distributed the Tesla Agent. Other DDNS providers with preinstalled XAMPP stack malware packages have also been identified. 

The researchers state that “While we do not have confirmed malicious activity on this infrastructure, an illegitimate domain mimicking Microsoft Outlook was recently registered on July 23 and has linked to two PHP pages displaying what appears to be XAMPP notifications on settings not yet made.”