Two updated versions of Agent Tesla, the widely used information stealer and remote access trojan (Rat), now contain new evasive techniques designed to disable endpoint protection tools on target systems before delivering malware payloads, according to research published by Sophos.
The new versions of Agent Tesla, which in general arrives as a malicious attachment to a phishing email, incorporates a multi-stage process. At first it uses a .NET downloader to grab chunks of malware from legitimate third-party websites – such as pastebin – and knits them together to build the loader that carries the final payload.
Meanwhile, it now attempts to fiddle with the code in Microsoft’s Anti-Malware Software Interface (AMSI) to disable any present AMSI-enabled endpoint protection tools that would usually block the payload from downloading, installing and running. AMSI is a feature of Windows that lets apps and services integrate with installed security tools.
“Agent Tesla malware has been active for more than seven years, yet it remains one of the most common threats to Windows users,” said Sean Gallagher, senior security researcher at Sophos. “It has been among the top malware families distributed via email in 2020. In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners.
“A variety of attackers use the malware to steal user credentials and other information from targets through screenshots, keyboard logging and clipboard capture.
“The most widespread delivery method for Agent Tesla is malicious spam – such as the emails we highlighted in our RATicate research. Sophos believes that cyber criminals will continue to update the malware and modify it to evade endpoint and email protection tools.
“The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised. Organisations and individuals should, as always, treat email attachments from unknown senders with caution, and verify all attachments before opening them.”
In new research published today, Sophos explores the two new versions currently circulating, which both feature several other updates, including new apps targeted for credential theft – among them web browsers, email services and VPN clients – and can also capture keystrokes and take screenshots.
The researchers also highlighted how a number of observed differences between the two versions of Agent Tesla demonstrate its ongoing evolution – besides the targeting of Microsoft’s AMSI, it also now includes options to install and use the Tor network client, and the Telegram messaging API for communications back to its command and control infrastructure.
The advice for security teams on how to combat threats such as Agent Tesla centre, as ever, on protecting users at the most basic level, and prevention infections to begin with.
This includes using intelligent, up-to-date tools that can screen out malicious emails before they even hit inboxes, and educating users to spot the warning signs if something does make it through – paying attention to spelling mistakes and language use, offers that seem too good to be true or requests that seem out of place and, of course, never opening any attachment or clicking on any link in an email from an unknown sender.
More information on the new versions of Agent Tesla, including indicators of compromise, is available on Sophos’ GitHub page.