Malware attacks can happen at any time and as technology has gotten more sophisticated so has the tools available to cybercriminals. Hence, just as innovation is breaking the limits of knowledge, so is the need to remain vigilant.
Imagine on a fateful Monday morning, you were going through your mail as you usually do first thing in the morning. There was that innocently crafted letter from a company you have never heard of before. The writer said they are interested in most of your products and has attached a file detailing the list of products they’re hoping to buy. Excited, you click the file. Surprisingly, the list is not there. Angry, you close the file and delete the mail, but unknowingly you now have malware living and active in your system.
Read more How to get rid of malware from your android smartphone
Welcome to the new age of cyberattacks. The days of soliciting mails, or “let’s share my uncle’s inheritance” are leaving the stage. New strategies being deployed now prey on your deepest vulnerabilities. When you let your caution down, you become a host of one of the most insidious malware known as Agent Tesla.
What is Agent Tesla?
It is an advanced Remote Access Trojan (RAT) functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials belonging to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox, and the Microsoft Outlook email client).
This powerful, easy-to-use password stealing program has been infecting computers since 2014 and has recently seen a surge in popularity attracting thousands of customers who pay subscription fees to licence the software.
A cybersecurity firm, SophosLabs, in its latest report which tracked multiple actors using Agent Tesla since November 2019, said it has seen new variants in a growing number of attacks over the past 10 months. As of December 2020, Agent Tesla was responsible for 20 percent of malware email attachments detected in Sophos customer telemetry.
“Agent Tesla has been active for more than seven years, yet it remains one of the most common threats to Windows users,” Sean Gallagher, senior security researcher, Sophos, said. “The most widespread delivery method for Agent Tesla is malicious spam attachments. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised.”
The two new variants are Agent Tesla version 2 and version 3. According to SophosLabs, the differences between the two only demonstrate how the RAT has evolved, employing multiple types of defense evasion and obfuscation to avoid detection.
But there are similarities in their functions, one of which is the use of global variables that determine the functionality and behaviour of the malware. The variables common to both versions of Agent Tesla determine which network protocol is to be used for command and control (C2) communications, based on an integer value set by the configuration file.
There are a number of methods that the recent versions of Agent Tesla use to both make a sandbox and static analysis more difficult and evade endpoint detection. One of the ways is to attempt to overwrite code in Microsoft’s Antimalware Scan Interface (AMSI).
One of the first things both versions of Agent Tesla do when activated is to check for (and kill) any other running instances of Agent Tesla – a step taken to ensure that the originally deployed copy is removed if the bot is configured to establish persistence.
According to the authors of the report, Agent Tesla remains a consistent threat. And the malware will continue to be updated and modified by its developers to evade endpoint and email protection tools.
“Organisations and individuals should, as always, treat email attachments from unknown senders with caution, and verify all attachments before opening them,” Gallagher said.
