Among the many malware families wreaking havoc for Windows users is Agent Tesla, a keylogger, information stealer and spyware that was first discovered in 2014. According to MITRE ATT&CK, Agent Tesla has employed various techniques ranging from collecting account information from a victim’s machine to using HTTP and SMTP for C2 communications. It can steal credentials, download additional files, extract data using form-grabbing, and even capture screenshots of victim’s desktops.
The malware developed over time and in 2018 security researchers discovered that it was being used in conjunction with the Loki information stealer. Because the malware had been modified, it was able to evade detection, which was problematic given that, “If undetected, Agent Tesla has the ability to steal user’s login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.”
Agent Tesla was trending through that fall, and in October 2018 Krebs on Security did a deep dive into the man behind the malware (which the proprietors claimed was not a malware at all). Krebs reported, “The earliest versions of Agent Tesla were made available for free via a Turkish-language WordPress site that oddly enough remains online (agenttesla.wordpress-dot-com), although its home page now instructs users to visit the current AgentTesla-dot-com domain.” Then there was another hiatus, at least from the headlines.
But by early 2020, Agent Tesla was back. ThreatPost reported that the malware’s use in attacks had trumped both Emotet and Trickbot during the first six months of 2020. Malwarebytes wrote, “During the months of March and April 2020, it was actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents.”
A new version of the remote access Trojan (RAT) is once again targeting Windows machines and evading detection. “Recent months have seen Agent Tesla continue to evolve and spread, and Sophos researchers have spotted new variants in a growing number of attacks over the past 10 months. As of December 2020, Agent Tesla made up 20% of malware email attachments in its customer telemetry,” according to news from Dark Reading.
In these more recent campaigns, attackers are reportedly using the RAT to target the oil and gas industries. Prevailion’s threat intelligence team has captured a total of 220,997,442 beacons for Agent Tesla. The image below shows a snapshot of this activity across major industries during the last six months.
As Agent Tesla continues to evolve and become more applicable because of its ability to evade detection, this RAT will become a more prolific problem. Organizations need cyber adversary intelligence in order to identify these intrusions faster in order to more quickly respond and remediate.
Prevailion, a global leader in Compromise Breach Monitoring TM powered by counterintelligence, is pleased to announce it has been named a Distinguished Vendor by TAG Cyber Security Quarterly for the third quarter of 2021.
Proactively hunting for malicious infrastructure is a persistent puzzle for threat researchers to work and solve. It is a complex and evolving problem, made more complex (though not unmanageable) by Domain Privacy and GDPR, which obscure WHOIS information that Analysts and Researchers would otherwise use to identify trends and corroborate other observations to increase confidence […]
Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.