Agent Tesla’s Evolution
Agent Tesla is a malware-as-a-service Remote Access Trojan (RAT) that has been commercially available on the dark web since 2014. It is used by cybercriminals to steal credentials and other information through keylogging, screenshots and capturing clipboard contents. The trojan is generally spread through phishing campaigns involving emails containing malicious attachments or links. The email accounts used for these campaigns are often legitimate accounts that have been compromised. Thus, making the phishing emails harder to detect. Since its inception, Agent Tesla has continued to evolve and spread. Nonetheless, according to a report published by Sophos, a British cyber security solutions firm, its functionality has essentially remained the same. However, extensive work has been done by the trojan’s developers to allow it to evade anti-malware software. The latest version of Agent Tesla, known as v3, employs defense evasion and code obfuscation to avoid detection. V3 is also capable of attacking more applications than v2, which is also still commercially available. V3 can attack VPNs, as well as more web browsers and email clients. Finally, the latest version also offers some additional options for its cybercriminal customers.
The Trojan’s New Capabilities
According to Sophos’s report “The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more control communications options to their attacker customers.” Agent Tesla’s new capabilities include the option to install and use a Tor proxy, which provides attackers with anonymous communication. Attackers can choose to use Tor by selecting this via a configuration file included in the malware package. If selected, the package downloads and installs a Tor client from the official Tor site. Also included is an option to use the Telegram messaging API for C2 communications. This new communication option allows cybercriminals to send exfiltrated data to a private Telegram chat room using end-to-end encryption. This affords attackers complete privacy as not even Telegram can access the data held in the chat room. So far, the most popular C2 communication method among attackers has been SMTP. This sends exfiltrated data to a mail server controlled by the attacker using a stolen email account. With Telegram, attackers no longer need this email account. The major upgrade to Agent Tesla, however, has been to its malware delivery package. The latest version targets Microsoft’s Anti-Malware Software Interface (AMSI) to evade malware scanners. The modified package disables anti-malware software before delivering the malware that installs and runs the payload. Thus, allowing Agent Tesla to avoid detection from malware scanners.
Recommendations
According to Sean Gallagher, senior security researcher at Sophos, “In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners.” Gallagher suggests that IT administrators keep an eye out for tor installations as this could help detect an Agent Tesla attack. “If I was running an organizational network and saw computers that never used Tor going onto Tor network, that would be a big red flag for me,” he says. Experts also recommend that IT administrators:
Install a security solution that can screen, detect and block suspicious emails and their attachments before they reach users. Educate employees to spot the warning signs of suspicious emails and what to do if they encounter one. Advise users to double-check that emails come from the address and the person they claim to come from. Advise users to never open attachments or click on links in emails from unknown senders.
