Agent Tesla

Agent Tesla is a remote access trojan (RAT) written in .NET that has been actively targeting users with Microsoft Windows OS-based systems since 2014. It is a versatile malware with a wide range of capabilities, including sensitive information stealing, keylogging and screenshot capture. Since its release, this malicious software has received regular updates. It is sold as a malware-as-a-service, with several subscription options available for purchase. Campaigns involving Agent Tesla often start with phishing emails, masquerading as legitimate messages from trusted sources. ^[1]

Features and functionality

Agent Tesla's versatility is evident in its wide range of features. It can:

• Steal credentials and personal data: Agent Tesla is adept at harvesting sensitive information, including passwords, usernames, contact information, financial data, and browsing history. The malware can collect information from over 50 applications, such as mail clients and web browsers.
• Capture screenshots: Agent Tesla can take screenshots of the victim's computer screen, capturing sensitive information and browsing activities.
• Intercept communications: Agent Tesla can intercept emails, chat messages, and other forms of online communication, spying on the victim's online activities.
• Record keystrokes: Agent Tesla can monitor the victim's keystrokes, logging passwords, usernames, and other sensitive data entered on the keyboard.
• Upload and download files: Agent Tesla can upload and download files from the victim's computer, as well as to install additional modules.
• Spread to other systems: Agent Tesla can spread to other computers on the network through file sharing or exploiting vulnerabilities in the network infrastructure. ^[1]

Technical details

Agent Tesla makes extensive use of obfuscation, including through code packing and various techniques, such as Base64 encoding or XOR encryption of its data. ^[2] This makes it more difficult for security tools and analysts to analyze and detect the malware. It also incorporates anti-analysis functionality, allowing it to take evasive measures to prevent detection by security solutions and even kill security features, such as User Account Control (UAC). ^[3]

Most Agent Tesla campaigns are multi-stage, meaning that they occur in several steps. A typical execution process looks like this:

1. The malware is delivered via a spam email attachment in the form of an Office document or a zip file containing the malicious payload. ^[4]
2. Once the attachment is opened, the first stage downloader is commonly executed with the help of VBS macros, scripts or through vulnerability exploits, including CVE-2017-11882/CVE-2018-0802. ^[5]
3. The downloader retrieves the second stage from an external source, such as the file-sharing platform Pastebin.
4. The second stage is downloaded, saved in the Temporary folder, and decrypted.
5. The final Agent Tesla payload is executed.
6. The payload collects information from the victim's system and sends it to the attacker. ^[6]

Agent Tesla malware operators can choose among four different protocols of communication with its command and control (C2) server, HTTP, SMTP, FTP, and Telegram chat. The specific method used depends on the configuration set by the attacker.

Agent Tesla employs two primary techniques to establish persistence, ensuring it remains active even after system reboots. One method involves creating a copy of itself in the startup folder, while the other is based on Agent Tesla adding registry run keys to trigger the execution during the boot process. Additionally, Agent Tesla can use Tor, an anonymizing network, to make its communication more difficult to track. ^[7]

Incidents

Agent Tesla has been employed in many cyber attacks across different spheres over the years. It was particularly widely utilized during the COVID-19 pandemic. For instance, in 2020, a campaign using a fake update to personal protection equipment was observed distributing Agent Tesla, while in 2021 one of the attacks featured a lure in the form of a COVID vaccination schedule document ^{[8] [9]} In October 2022, Agent Tesla was identified as one of the most widespread malware strains in the education sector, affecting 7% of organizations globally. ^[10]

References

1. Arndt, James (February 21, 2023). "The Rise of Agent Tesla: Understanding the Notorious Keylogger". Cofense.
2. White, Jeff (September 25, 2017). "Analyzing the Various Layers of AgentTesla's Packing". Unit 42.
3. Netwitness Community Blog (June 17, 2022). "Agent Tesla: The Information Stealer". Netwitness Community Blog.
4. Scythe (May 18, 2023). "Threat Emulation: Agent Tesla". Scythe.
5. Zhang, Xiaopeng (September 5, 2023). "New Agent Tesla Variant Being Spread by Crafted Excel Document". Fortinet.
6. Gallagher, Sean (February 2, 2021). "Agent Tesla amps up information stealing attacks". Sophos News.
7. Splunk Threat Research Team (November 16, 2022). "Inside the Mind of a 'Rat' - Agent Tesla Detection and Analysis". Splunk.
8. Walter, Jim (September 4, 2020). "Threat Intel, Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic". Sentinel One.
9. Bîzgă, Alina (June 18, 2021). "Threat Actors Spread Agent Tesla Disguised as COVID-19 Vaccination Registration". Bitdefender.
10. Kelly, Ross (November 9, 2022). "AgentTesla Shakes Education Sector Amid Surge in Malware Attacks". DigitNews.