Security researchers discovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and check its victims.
The Windows spyware that spreads through social engineering techniques now targets Microsoft’s Antimalware Scan Interface (AMSI) in an attempt to defeat endpoint protection software and also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server.
Two versions of Agent Tesla — version 2 and version 3 — currently found in the wild. The cybersecurity firm Sophos said that these changes are another sign of Agent Tesla’s constant evolution designed to make a sandbox and static analysis more difficult.
According to the researchers, the differences between v2 and v3 of Agent Tesla is improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more C2 options to their attacker customers.
Agent Tesla which is a .NET based keylogger and information stealer, has been deployed in numerous attacks since late 2014. New features get added to it over time that allows it to monitor and collect the victim’s keyboard input, take screenshots, and exfiltrate credentials belonging to a variety of software such as VPN clients, FTP and email clients, and web browsers.
Last May a variant of the malware was spreading via COVID-themed spam campaigns to steal Wi-Fi passwords alongside other information.
In August 2020, another version of the Malware increased the number of applications targeted for credential theft to 55, the results of which were then transmitted to an attacker-controlled server via SMTP or FTP.
Sophos has identified a new version that leverages Tor proxy for HTTP communications and messaging app Telegram’s API to relay the information to a private chat room.
Besides, the malware’s installation process also has been upgraded in which the first-stage malware downloader attempts to modify code in AMSI in order to skip scans of second-stage malicious payloads fetched from Pastebin (or Hastebin).
This interim payload, which are chunks of obfuscated base64-encoded code, are subsequently decoded to retrieve the loader that’s used to inject the Agent Tesla malware.
In order to achieve persistence, the malware copies itself to a folder and sets that folder’s attributes to “Hidden” and “System” to conceal it from view in Windows Explorer.
The main delivery method for Agent Tesla is malicious spam. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised.
All the users are recommended to be cautious with the email attachments received from unknown senders and make sure to verify it before opening.