Agent Tesla Upgrades with New Delivery & Evasion Tactics


2021-02-03 /

Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration.
During the past months, we have found a resurgence of this malware being distributed via spam, as a payload of other threats, and as attachments to the malspams themselves. In this blog, we present three recent, yet quite different, spam campaigns leading to this threat. The first two campaigns deliver Agent Tesla via interesting downloader attachments whereas the third one distributes Agent Tesla directly in the malspams. The Agent Tesla samples we observed send the stolen information through SMTP and FTP.

The newest versions of the Agent Tesla malware target more applications for credential theft, use updated communication tactics, and pack new techniques for bypassing endpoint defense.
Sophos researchers published a report on updates to Agent Tesla, a family of remote access Trojan (RAT) malware that has grown more popular in recent months. Its developers are buckling down on defense evasion with several techniques, such as targeting Microsoft's Anti-Malware Software Interface (AMSI), to slip past security tools and remain persistent on a device.
Agent Tesla, offered as a form of malware-as-a-service, has been active since 2014 and remains a common threat to Windows machines, researchers report. Many attackers use it to steal credentials and other information via screenshots, keyboard logging, and clipboard capture.
Recent months have seen Agent Tesla continue to evolve and spread, and Sophos researchers have spotted new variants in a growing number of attacks over the past 10 months. As of December 2020, Agent Tesla made up 20% of malware email attachments in its customer telemetry.
Sophos experts cites two factors driving its growth: Agent Tesla's business model has matured to the point where it can reach a larger audience, and its developers have obfuscated the code in a way that prevents more advanced clients from reversing and using it themselves by changing parts of it.
"We think that the combination of them having a more mature business model, plus the rise of malware distribution-as-a-service — with different malspam operators, different botnets being used to distribute malicious content to targets — has really ramped up their ability to reach the scammer customers, the cybercrime customers they're trying to get to," Sean Gallagher senior threat researcher at Sophos explains.
Researchers' analysis investigates two active versions of Agent Tesla. Version 2 changes are mostly obfuscation from the original version; version 3 brings more variation.
Agent Tesla usually arrives as an attachment in a malicious email. Its first stage is a .NET-based downloader that pulls chunks of base64-encoded, obfuscated code for the second stage from websites such as Pastebin and "Hastebin," a Pastebin clone. After downloading these chunks, the downloader stage joins, decodes, and decrypts them to form the loader with the final payload.
The more recent versions of Agent Tesla use several methods to impede sandbox and static analysis. In addition to the use of packers to obfuscate code, multistage malware installers also bring in components which, in some cases, are hosted in plain sight on legitimate websites. The installer also attempts to overwrite code in Microsoft AMSI so the software is not effective.
If the targeting of AMSI is successful, it disrupts endpoint protection software that depends on it. And because this happens in early in the execution process, it blocks any AMSI protection against other components of the first-stage downloader, the second-stage loader, or the final Agent Tesla payload.

Telegram, Tor, and More Agent Tesla Tricks

Agent Tesla v3 expands the number of applications targeted for credential harvesting. Its current list includes Google Chrome, Firefox, OpenVPN, Opera, Yandex, Chromium, Outlook, OperaMail, SmartFTP, WinVNC4, WinSCP, and FTP Navigator. Agent Tesla bundles stolen credentials with the host fingerprint data and transmits them back to command-and-control (C2) once during execution.
Agent Tesla can be configured to communicate over HTTP, SMTP, and FTP. V3 adds the Telegram chat protocol as an option for C2, so exfiltrated data can be sent to a private Telegram chat room. The Telegram chat protocol is one-way only.
With the Telegram protocol, attackers don't even need an email address to receive stolen data, Gallagher points out, noting he hadn't previously seen much Telegram usage among attackers.
"Telegram is the hot new C2," he quips. "It's something everyone is adding to their malware as an option." This upgrade to Agent Tesla makes it more appealing to attackers who don't want to operate a lot of infrastructure. For a long time, attackers used SMTP for C2 communication because it only requires an email account. The Telegram protocol option requires even less.
V3 also gives the option of using a Tor proxy to improve HTTP communications. If it's chosen in the configuration file, the malware downloads and installs a Tor client from the official Tor site. This would conceal communications, but it could also be a warning sign for security teams.
"If I was running an organizational network and saw computers that never used Tor going onto Tor network, that would be a big red flag for me," Gallagher says. Because victims may not have firewalls set up to block outbound Tor traffic, that's another concern.
Versions 2 and 3 also differ in their obfuscation. In v2, there is one function to decrypt all of the strings for execution. V3 has a separate function for every encrypted string, and it's a much more arduous task to reverse them all. The attackers' goal is to make it more difficult for customers to look at the actual content, and for people to view the source code, he adds.

When Sophos first started observing Agent Tesla, it was primarily used against targets in the Middle East and India. Starting with v2, it appeared in Egypt and other EMEA counties, says Gallagher. Over time, it began to generalize more, likely based on the customers who began to use it. The latest batch has been seen in the United States, Western Europe, and Australia.
"This has gone from being a niche tool for a particular type of cyber scammer … to being a fairly broadly applicable tool," he notes. One of the reasons Agent Tesla likely upgraded the malware is because they were getting caught more often and having less success in getting it deployed.

Over time, we'll begin to see the emergence of dominant products in specific categories, such as credential theft, backdoors, and remote execution. There is already a market of commodity malware that is widely available, customizable, and that anyone can be trained to use, he adds, and there is a demand for reliable products among cybercriminals of all types.