TitanHQ

TitanHQ Blog

Agent Tesla Malware is now Better and More Evasive than Ever

Posted by Trevagh Stankard on Tue, Mar 9th, 2021

Agent Tesla is a malicious malware that organizations must be aware of to protect their employees, clients and data. 

Imagine a strain of malware that can not only steal your credentials from as many as 55 different applications but is savvy enough to copy itself to a directory on your computer and set that folder to “Hidden” and “System”, in order to conceal itself from view in Windows Discover.  This malware strain was produced by Agent Tesla as discovered by the cybersecurity firm Sophos, in their latest version release.

What is Agent Tesla?


Agent Tesla is not the electric car, it’s a .net-based keylogger that was first deployed back in 2014.  It’s an example of how various malware types are evolving and improving.  The people behind these malicious applications are becoming more advanced in creating malicious malware.  If Agent Tesla were a commercial program, it would have an impressive history.  In the beginning, Agent Tesla was a limited tool used for specific types of cybercriminals in a handful of countries across Europe, the Middle East, and Africa.  It has since grown into a broad-based tool, offering an expansive assortment of malicious tools, that today has a global presence.

The Capabilities of Agent Tesla


Agent Tesla is a formidable Remote Access Trojan (RAT) that has become exceptionally good at getting around defense barriers in order to monitor its victims. This threat is offered in a form of malware-as-a-service, to which it is capable of keylogging, screen capture, form-grabbing, and stealing credentials.  The credential pilfering abilities of Agent Tesla are not limited to just email but expanded to include VPN clients, FTP and web browsers. A variant of Agent Tesla was discovered last spring during the height of the COVID pandemic, that was used to steal Wi-Fi passwords

 

The Evolvement of Agent Tesla


In similar fashion to an enterprise commercial application, the sinister team of coders that support Agent Tesla are constantly working to improve their product and release updated versions.  While version two of the malware could steal credentials from 55 applications, version three has yet expanded that list to include Google Chrome, Firefox, OpenVPN, SmartFTP, WinSCP and Opera.  Significant improvements in its ability to circumvent sandbox defenses and malware scanners were also discovered by Sophos.  While the malware began using SMTP to communicate with the perpetrators behind the attack in its second version release, the newest version now supports HTTP, FTP as well as the Telegram Chat protocol.  Telegram is a one-way only communicative protocol that allows a malware application to send exfiltrated data to a private Telegram chat room.  As a result, an attacker no longer needs an email address to receive stolen data, thus lessoning their dependency on infrastructure.  Agent Tesla isn’t the only malware strain utilizing Telegram.   It has now become the hot new communicative medium of choice.

Agent Tesla Deployed via Email


Like so many malicious malware types, Agent Tesla is deployed through malicious email.  In many cases, the email accounts used to deliver the malware package are legitimate accounts that have been compromised.  This makes it more alluring for users, especially if the email comes from a person of authority.  The SPAM email contains an attachment that when clicked, being the first phase of a multistage installation process.  The downloaded malware components are often hosted on legitimate websites, making it easy to subvert simple block lists.  The installation process is driven by obfuscated code that is used to conceal its purpose, using needless, roundabout expressions to compose statements.  Because it targets Windows devices, it attempts to overwrite code in Microsoft AMSI to cripple its effectiveness.  The Windows Antimalware Scan Interface (AMSI) is a versatile standard that integrates with any malware product in order to protect internal applications and services.  This is yet another example of why you cannot rely on endpoint protection alone anymore. Multi-layer security solutions are required to fully protect an organization from malware.

How to Protect Yourself from Agent Tesla


Agent Tesla is constantly evolving and there is no guaranteed way to protect against it, but the combined strength of email security and internet filtering will go a long way in shield your users and desktops from this and other malware strains that relay on email as its primary deployment mechanism.  In the same fashion as the developers behind Agent Tesla, the code developers and cybersecurity experts of TitanHQ are constantly incorporating new technologies and techniques to improve the protection abilities of its award-winning security tools. 

SpamTitan Email Protection and WebTitan Web Content Filtering can help to protect your business from ever-evolving malware threats. Learn more about these TitanHQ products today.

Never Miss a Blog Post

Sign-up for email updates...

Get Your 30 Day FREE Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us