What Is Agent Tesla Malware?
Agent Tesla is a .Net-based Remote Access Trojan (RAT) and data stealer for gaining initial access that is often used for Malware-As-A-Service (MaaS). In this criminal business model, threat actors known as initial access brokers (IAB) outsource their specialized skills for exploiting corporate networks to affiliate criminal groups. As first-stage malware, Agent Tesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware.
Agent Tesla first appeared in 2014 and surged in the 2020s when it was leveraged for COVID-19 PPE-themed phishing campaigns. Agent Tesla delivers emails attached with .zip, .gz, .cab, .msi and .img files and Microsoft Office documents with malicious Visual Basic Application (VBA) macros to compromise victim systems. Agent Tesla phishing campaigns are notorious for precisely replicating a legitimate company’s communication tone and visual template, including logos and fonts.
Although Agent Tesla’s native second-stage capabilities are not as sophisticated as those of other malware families, it can effectively steal a wide array of sensitive information. It also provides attackers with an easy-to-use interface to monitor the attack process and download stolen information, making it an attractive choice of malware for IABs.
Latest Agent Tesla News
- Advanced RAT Agent Tesla Most Prolific Malware in October (Infosecurity Magazine)
- Malware Builder Uses Fresh Tactics to Hit Victims with Agent Tesla RAT (CSO Online)
- Top 11 Malware Strains of 2021—and How to Stop Them (BlackBerry Blog)
How Agent Tesla Works
Agent Tesla exploits several different file attachment vulnerabilities and evasive techniques to avoid detection by malware scanners and spam filters. One such evasive technique is repeatedly changing the IP address of the attacker’s command-and-control (C2) server and the domain used to send phishing emails to avoid recognition. Another stealthy technique of Agent Tesla is to randomize strings in its source code so the payload’s signature cannot be easily compared to previous versions.
Once its primary payload has been downloaded and executed on the target’s system, Agent Tesla evaluates the local system environment to determine if debugging, virtualization, or sandboxing tools are present. It only continues to decrypt subsequent components of its primary payload if malware analysis tools aren’t present. Next, the malware connects to a C2 server to notify the attacker that a new victim is available for further exploitation.
Agent Tesla can steal data such as credentials from browsers, FTP clients, and wireless profiles, but its most common use case is to secure initial access that can be sold on the Dark Web.
Agent Tesla generally follows the same attack tactic as other initial access malware strains (malicious email attachments) and may be indistinguishable from other phishing campaigns at a glance. The most common email attachment filename used by Agent Tesla is Supplier-Face Mask Forehead Thermometer.pdf.gz; its most widespread campaign to date was a COVID-19 PPE phishing scam.
Agent Tesla phishing campaigns also leverage a tactic related to typosquatting (AKA domain-hijacking), using domain names that are similar but slightly altered from those of the companies they emulate. Agent Tesla threat actors also leverage misconfigurations in corporate email servers, allowing them to send emails that appear to come from the company’s domain.
Agent Tesla’s ability to rotate C2 IP addresses and modify strings in its source code allows it to avoid detection by malware scanners and email spam filters effectively. However, because it is more difficult for malware developers to change a malware’s tactics, techniques, and procedures (TTP), Endpoint Detection and Response (EDR) security products and Extended EDR (XDR) products are effective at identifying Agent Tesla’s indicators of compromise (IOCs) and blocking its payload from execution.
The most effective ways to prevent a successful Agent Tesla attack:
- Configure email clients to notify users when emails originate from outside the organization
- Educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
- Recognize the increased risk that files of unknown origin present and verify the context of such documents thoroughly before opening them
- Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
- Pay special attention to warning notifications in email clients and Office applications that can alert you to suspicious contexts, such as files that have not been scanned for malware or contain VBA macros
- Install and configure advanced endpoint security products that will scan encrypted documents immediately after they are unencrypted and identify IOCs on the network and its endpoints