Sophos today released a new report on the malware Agent Tesla: “Agent Tesla Amps Up Information Stealing Attacks”. In it, the IT security specialists describe how attackers use new techniques to disable endpoint protection before injecting the malware into the system.
Agent Tesla is a widely used remote access tool (RAT) that has been known since 2014 and used by attackers to steal data - new updates on details of the attacks have now come to light. The creators put it up for sale on dark web forums and update it continuously. Cyber criminals typically distribute Agent Tesla as an attachment via spam emails.
Multi-stage process penetrates
The techniques are characterized by a multi-stage process in which a .NET downloader picks up individual malware components from official third-party websites - such as pastebin and hastebin - and then puts the components together in order to wreak havoc with the completed malware. At the same time, the malware tries to change the code in Microsoft's Anti-Malware Software Interface (AMSI) - a Windows function that enables applications and services to be integrated into installed security products. With this, the cyber criminals disable the AMSI-enabled endpoint security protection so that the malware can be downloaded, installed and executed without any obstacles.
Report describes the procedure
The new report from Sophos describes in detail the two versions of Agent Tesla that are in circulation. Both have the latest updates such as the number of applications targeted for credential theft. This includes web browsers, email clients, virtual private network clients, and other software that stores user names and passwords. There is also the option of capturing keystrokes and taking screenshots.
The differences between the two versions show how attackers have recently developed the RAT and now use several techniques for bypassing security and obfuscation. This includes options for installing and using the anonymizing network client Tor, the Telegram messaging API for command and control communication (C2) and targeting Microsoft's AMSI.
Agent Tesla malware has been active for more than seven years, but it remains one of the most common threats facing Windows users. It ranks among the top malware families distributed via email in 2020. In December, Agent Tesla accounted for around 20 percent of malicious email attacks intercepted by Sophos scanners,” said Michael Veit, Technology Evangelist at Sophos. "A variety of attackers use the malware to steal user credentials and other information through screenshots, keyboard logging, and clipboard capture."
Sophos recommends the following for IT administrators
- Installation of an intelligent security solution that scans, detects and blocks suspicious e-mails and their attachments before they reach the user.
- Establish effective authentication standards to verify that emails are what they claim to be.
Train employees to recognize the warning signs of suspicious email and what to do when they come across a suspicious email. - Sensitize users to check e-mails to see if they come from the address and person they claim to be.
Advise users never to open attachments or click on links in e-mails from unknown senders.
The Sophos endpoint protection Intercept X detects the installer malware from Agent Tesla and the RAT with the help of machine learning technology as well as the signatures Troj / Tesla-BE and Troj / Tesla-AW.
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.