This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Agent Tesla: The Information Stealer

Agent Tesla: The Information Stealer

jeethmathai
Occasional Contributor jeethmathai Occasional Contributor
Occasional Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
2 weeks ago

What is Agent Tesla?

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014. The malware has many features like key logging, clipboard capture, screen capturing and extracting stored passwords from many browsers and beacons this information back to the C2. It supports all versions of the Windows operating system.

It’s in active development, constantly being updated and improved with new features, obfuscation, and encryption methods. The malware is sold as a service with a relatively cheap licensing model, which makes it particularly easy to use and can explain its distribution on such a wide scale. At the time of writing this post, two versions of Agent Tesla can still be found in the wild – version 2 and 3. Version 3 comes with some updates and additional features and is currently the most prevalent.

 

The MITRE ATT&CK matrix with the techniques deployed by Agent Tesla attack is highlighted for reference here.

 

Initial Access -

              Phishing

 

Execution -

              Exploitation for Client Execution

              Scheduled Task

              Malicious File

 

Persistence -

              Registry Run Keys / Startup Folder

              Scheduled Task

 

Privilege Escalation -

              Registry Run Keys / Startup Folder

              Process Injection 

              Scheduled Task

 

Defense Evasion -

              Deobfuscate / Decode Files or Information

              Hidden Files and Directories

              Disable and Modify Tools

              Modify Registry

              Obfuscated Files or Information

              Process Injection

              System Binary Proxy Execution

              Virtualization and Sandbox Evasion

 

Credential Access -

              Credentials from Password Stores

              Keylogging

              Credentials in files/Registry

 

Discovery -

              Account Discovery

              Process Discovery

              Query Registry

              System Information Discovery

              System Network Configuration Discovery

              System Owner / User Discovery

              Virtualization and Sandbox Evasion

 

Collection -

              Archive Collected Data

              Browser Session Hijacking

              Clipboard Data

              Keylogging

              Screen Capture

 

Command and Control -

              Web Protocols

              Mail Protocols

              Ingress Tool transfer

 

Exfiltration -

              Exfiltration over Unencrypted Non-C2 Protocol

 

 

Delivery

Agent Tesla’s most common and successful delivery method is through email, either in the form of spam or more targeted campaigns (OPEC+, COVID-19, ISPS), where the malware is bundled as an attachment, usually in the form of a macro enabled Microsoft document(.docx,.xls,.ppt), Microsoft document addon files(.XLL) or a compressed archive. Recently there were reports of malicious compiled HTML help file delivering Agent Tesla.

 

 

Execution

After convincing the user to enable the macro embedded in the document the malware will connect with C2 to download a .Net malware into the system. The .Net malware can be packed and obfuscated to evade anti-viruses and security solutions. The malware itself goes through multiple layers of unpacking and decryption before deploying its final payload.

Some samples were found to exploit an Office doc vulnerability CVE-2017-11882(a memory corruption glitch in Microsoft Office's Equation Editor that enables remote code execution on vulnerable devices).

 

 

C2 Communication

Agent Tesla can be configured to communicate over HTTP, SMTP, and FTP. The earlier versions used to connect to agenttesla[.]com upon successful installation to check for software updates via HTTP. The newer versions use TOR client for C2 communication and even the Telegram chat protocol as an option.

  • HTTP: Directly sends data to a web panel controlled by the attacker.
  • SMTP: Sends data using a stolen mail account to a mail server controlled by the attacker.
  • FTP: Uploads data to an FTP server controlled by the attacker. (Rarely used, this method might permit anyone to recover the stolen information from that server because the address of the FTP server as well as the username and password are encoded into the malware binary.)
  • TELEGRAM: Sends the exfiltrated data to a private Telegram chat room.

 

 

Persistence

Agent Tesla malware can achieve persistence by creating itself with the following registry keys:

\Software\Microsoft\Windows\CurrentVersion\Run

\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

The following endpoint apprule detects this persistence technique used by Agent Tesla

BOC = [Community] Possible Agent Tesla persistence

Agent Tesla can also create a scheduled task by using schtasks.exe or at.exe to add and modify task schedules.

Process created: C:\Windows\System32\schtasks.exe" /Create /TN "<task name>" /XML "C:\Users\<user>\AppData\Local\Temp\<malware filename>.tmp

The following endpoint apprule detects this persistence technique

BOC = [Community] Suspicious Scheduled Task Creation From Appdata Folder

 

 

Fingerprinting

The malware uses WMIC to query sensitive network adapter and BIOS information to detect if it is running in a VM. Also gathers host information such as PC name, username, processor, RAM, TCP hostname, DNS client, domain, and more.

 

 

Credential Stealing

The malware will search for web browsers installed on the host and steal cookie, usernames and password stored in the web browser’s files. Agent Tesla also tries to steal Email, FTP, VPN, Windows and other login credentials from files, registry keys and memory.

 

 

Defense Evasion

One of the defense evasions techniques Agent Tesla uses to be not easily discovered is by adding its image path as an exclusion for Windows Defender.

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\<user>\AppData\Roaming\<malware filename>.exe

BOC = evades scanning within windows defender

The malware injects its payload into a legitimate foreign process or create subsequent processes to evade detection.

Based on the information collected from the host, it can identify if it is running in a VM or sandbox.

 

 

Capabilities

Apart from collecting user credentials and other sensitive information Agent Tesla has the following capabilities:

  • Keylogging : To capture keystrokes.
  • Taking screenshots : To capture a screenshot and send it in jpeg format.
  • Stealing clipboard data : Harvests data from the system clipboard.
  • Uninstallation : The malware can uninstall itself.
  • Anti-Analysis : Capable of terminating multiple antivirus, security, and analysis programs running on the victim machine; it is also capable of detecting popular sandboxes and virtual environments. 

Additionally, Agent Tesla can disable UAC, Taskmgr, CMD, Run, Control Panel, Regedit, SystemRestore, etc., on a victim’s machine.

 

 

Exfiltration

Agent Tesla version 2 and 3 are both capable of using HTTP, SMTP, and FTP to send the stolen data to the C2. On top of that, v3 comes with another possibility which is sending the data to a Telegram channel.

 

 

Conclusion and Solution

Agent Tesla is a malware designed to steal sensitive information that has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, information stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers.

Although Agent Tesla is in constant development and varies with each variant, understanding its malware family, its usual delivery methods, and the techniques used can be very beneficial for a SOC analyst, incident responder or threat hunter. NetWitness can aid in detecting the presence of Agent Tesla within your environment —so you can respond before this omnipotent malware causes major loss in the form of data, intellectual property, exfiltration, and/or financials.

 

References:

https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla

https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla

https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/

https://attack.mitre.org/software/S0331/

Agent Tesla amps up information stealing attacks – Sophos News

  • agenttesla
  • Malware
  • NetWitness Endpoint
  • rat
  • spyware
  • threat detection
2 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.