NetWitness Community

jeethmathai

What is Agent Tesla?

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014. The malware has many features like key logging, clipboard capture, screen capturing and extracting stored passwords from many browsers and beacons this information back to the C2. It supports all versions of the Windows operating system.

It’s in active development, constantly being updated and improved with new features, obfuscation, and encryption methods. The malware is sold as a service with a relatively cheap licensing model, which makes it particularly easy to use and can explain its distribution on such a wide scale. At the time of writing this post, two versions of Agent Tesla can still be found in the wild – version 2 and 3. Version 3 comes with some updates and additional features and is currently the most prevalent.

The MITRE ATT&CK matrix with the techniques deployed by Agent Tesla attack is highlighted for reference here.

Initial Access -

Phishing

Execution -

Exploitation for Client Execution

Scheduled Task

Malicious File

Persistence -

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation -

Registry Run Keys / Startup Folder

Process Injection

Scheduled Task

Defense Evasion -

Deobfuscate / Decode Files or Information

Hidden Files and Directories

Disable and Modify Tools

Modify Registry

Obfuscated Files or Information

Process Injection

System Binary Proxy Execution

Virtualization and Sandbox Evasion

Credential Access -

Credentials from Password Stores

Keylogging

Credentials in files/Registry

Discovery -

Account Discovery

Process Discovery

Query Registry

System Information Discovery

System Network Configuration Discovery

System Owner / User Discovery

Virtualization and Sandbox Evasion

Collection -

Archive Collected Data

Browser Session Hijacking

Clipboard Data

Keylogging

Screen Capture

Command and Control -

Web Protocols

Mail Protocols

Ingress Tool transfer

Exfiltration -

Exfiltration over Unencrypted Non-C2 Protocol

Delivery

Agent Tesla’s most common and successful delivery method is through email, either in the form of spam or more targeted campaigns (OPEC+, COVID-19, ISPS), where the malware is bundled as an attachment, usually in the form of a macro enabled Microsoft document(.docx,.xls,.ppt), Microsoft document addon files(.XLL) or a compressed archive. Recently there were reports of malicious compiled HTML help file delivering Agent Tesla.

Execution

After convincing the user to enable the macro embedded in the document the malware will connect with C2 to download a .Net malware into the system. The .Net malware can be packed and obfuscated to evade anti-viruses and security solutions. The malware itself goes through multiple layers of unpacking and decryption before deploying its final payload.

Some samples were found to exploit an Office doc vulnerability CVE-2017-11882(a memory corruption glitch in Microsoft Office's Equation Editor that enables remote code execution on vulnerable devices).

C2 Communication

Agent Tesla can be configured to communicate over HTTP, SMTP, and FTP. The earlier versions used to connect to agenttesla[.]com upon successful installation to check for software updates via HTTP. The newer versions use TOR client for C2 communication and even the Telegram chat protocol as an option.

HTTP: Directly sends data to a web panel controlled by the attacker.
SMTP: Sends data using a stolen mail account to a mail server controlled by the attacker.
FTP: Uploads data to an FTP server controlled by the attacker. (Rarely used, this method might permit anyone to recover the stolen information from that server because the address of the FTP server as well as the username and password are encoded into the malware binary.)
TELEGRAM: Sends the exfiltrated data to a private Telegram chat room.

Persistence

Agent Tesla malware can achieve persistence by creating itself with the following registry keys:

\Software\Microsoft\Windows\CurrentVersion\Run

\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

The following endpoint apprule detects this persistence technique used by Agent Tesla

BOC = [Community] Possible Agent Tesla persistence

Agent Tesla can also create a scheduled task by using schtasks.exe or at.exe to add and modify task schedules.

Process created: C:\Windows\System32\schtasks.exe" /Create /TN "<task name>" /XML "C:\Users\<user>\AppData\Local\Temp\<malware filename>.tmp

The following endpoint apprule detects this persistence technique

BOC = [Community] Suspicious Scheduled Task Creation From Appdata Folder

Fingerprinting

The malware uses WMIC to query sensitive network adapter and BIOS information to detect if it is running in a VM. Also gathers host information such as PC name, username, processor, RAM, TCP hostname, DNS client, domain, and more.

Credential Stealing

The malware will search for web browsers installed on the host and steal cookie, usernames and password stored in the web browser’s files. Agent Tesla also tries to steal Email, FTP, VPN, Windows and other login credentials from files, registry keys and memory.

Defense Evasion

One of the defense evasions techniques Agent Tesla uses to be not easily discovered is by adding its image path as an exclusion for Windows Defender.

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\<user>\AppData\Roaming\<malware filename>.exe

BOC = evades scanning within windows defender

The malware injects its payload into a legitimate foreign process or create subsequent processes to evade detection.

Based on the information collected from the host, it can identify if it is running in a VM or sandbox.

Capabilities

Apart from collecting user credentials and other sensitive information Agent Tesla has the following capabilities:

Keylogging : To capture keystrokes.
Taking screenshots : To capture a screenshot and send it in jpeg format.
Stealing clipboard data : Harvests data from the system clipboard.
Uninstallation : The malware can uninstall itself.
Anti-Analysis : Capable of terminating multiple antivirus, security, and analysis programs running on the victim machine; it is also capable of detecting popular sandboxes and virtual environments.

Additionally, Agent Tesla can disable UAC, Taskmgr, CMD, Run, Control Panel, Regedit, SystemRestore, etc., on a victim’s machine.

Exfiltration

Agent Tesla version 2 and 3 are both capable of using HTTP, SMTP, and FTP to send the stolen data to the C2. On top of that, v3 comes with another possibility which is sending the data to a Telegram channel.

Conclusion and Solution

Agent Tesla is a malware designed to steal sensitive information that has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, information stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers.

Although Agent Tesla is in constant development and varies with each variant, understanding its malware family, its usual delivery methods, and the techniques used can be very beneficial for a SOC analyst, incident responder or threat hunter. NetWitness can aid in detecting the presence of Agent Tesla within your environment —so you can respond before this omnipotent malware causes major loss in the form of data, intellectual property, exfiltration, and/or financials.

References:

https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla

https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla

https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/

https://attack.mitre.org/software/S0331/

Agent Tesla amps up information stealing attacks – Sophos News