Among the many malware families wreaking havoc for Windows users is Agent Tesla, a keylogger, information stealer and spyware that was first discovered in 2014. According to MITRE ATT&CK, Agent Tesla has employed various techniques ranging from collecting account information from a victim’s machine to using HTTP and SMTP for C2 communications. It can steal credentials, download additional files, extract data using form-grabbing, and even capture screenshots of victim’s desktops.
The malware developed over time and in 2018 security researchers discovered that it was being used in conjunction with the Loki information stealer. Because the malware had been modified, it was able to evade detection, which was problematic given that, “If undetected, Agent Tesla has the ability to steal user’s login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.”
Agent Tesla was trending through that fall, and in October 2018 Krebs on Security did a deep dive into the man behind the malware (which the proprietors claimed was not a malware at all). Krebs reported, “The earliest versions of Agent Tesla were made available for free via a Turkish-language WordPress site that oddly enough remains online (agenttesla.wordpress-dot-com), although its home page now instructs users to visit the current AgentTesla-dot-com domain.” Then there was another hiatus, at least from the headlines.
But by early 2020, Agent Tesla was back. ThreatPost reported that the malware’s use in attacks had trumped both Emotet and Trickbot during the first six months of 2020. Malwarebytes wrote, “During the months of March and April 2020, it was actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents.”
A new version of the remote access Trojan (RAT) is once again targeting Windows machines and evading detection. “Recent months have seen Agent Tesla continue to evolve and spread, and Sophos researchers have spotted new variants in a growing number of attacks over the past 10 months. As of December 2020, Agent Tesla made up 20% of malware email attachments in its customer telemetry,” according to news from Dark Reading.
In these more recent campaigns, attackers are reportedly using the RAT to target the oil and gas industries. Prevailion’s threat intelligence team has captured a total of 220,997,442 beacons for Agent Tesla. The image below shows a snapshot of this activity across major industries during the last six months.
As Agent Tesla continues to evolve and become more applicable because of its ability to evade detection, this RAT will become a more prolific problem. Organizations need cyber adversary intelligence in order to identify these intrusions faster in order to more quickly respond and remediate.
Read some thoughts from our CTO, Nate Warfield, who discusses the escalating attacks on critical infrastructure with other cybersecurity experts in this Industrial Week roundtable.
by Will Gragido, Chief Strategy Officer – Prevailion, Inc. Intelligence analysis is dependent upon many things not the least of which are collections and access to data (e.g., pcaps, logs etc.) sourced from within the network. Prevailion affords its customers the ability to view intelligence related to real state of compromise outside the network’s perimeter. […]