The newest versions of the Agent Tesla malware target more applications for credential theft, use updated communication tactics, and pack new techniques for bypassing endpoint defense.
Sophos researchers today published a report on updates to Agent Tesla, a family of remote access Trojan (RAT) malware that has grown more popular in recent months. Its developers are buckling down on defense evasion with several techniques, such as targeting Microsoft's Anti-Malware Software Interface (AMSI), to slip past security tools and remain persistent on a device.
Agent Tesla, offered as a form of malware-as-a-service, has been active since 2014 and remains a common threat to Windows machines, researchers report. Many attackers use it to steal credentials and other information via screenshots, keyboard logging, and clipboard capture.
Recent months have seen Agent Tesla continue to evolve and spread, and Sophos researchers have spotted new variants in a growing number of attacks over the past 10 months. As of December 2020, Agent Tesla made up 20% of malware email attachments in its customer telemetry.
"Since April of last year, the number of detections we've seen on it has skyrocketed," says Sean Gallagher, senior threat researcher at Sophos.
He cites two factors driving its growth: Agent Tesla's business model has matured to the point where it can reach a larger audience, and its developers have obfuscated the code in a way that prevents more advanced clients from reversing and using it themselves by changing parts of it.
"We think that the combination of them having a more mature business model, plus the rise of malware distribution-as-a-service — with different malspam operators, different botnets being used to distribute malicious content to targets — has really ramped up their ability to reach the scammer customers, the cybercrime customers they're trying to get to," Gallagher explains.
Researchers' analysis investigates two active versions of Agent Tesla, identified as version 2 and version 3. While the functionality of these versions is "largely the same," a few differences reflect how the RAT has evolved and its developers' focus on bypassing defenses. Version 2 changes are mostly obfuscation from the original version; version 3 brings more variation.
"The most concerning thing is that they've really beefed up their deployment malware," he says of the malware's newer versions.
Agent Tesla usually arrives as an attachment in a malicious email. Its first stage is a .NET-based downloader that pulls chunks of base64-encoded, obfuscated code for the second stage from websites such as Pastebin and "Hastebin," a Pastebin clone. After downloading these chunks, the downloader stage joins, decodes, and decrypts them to form the loader with the final payload.
The more recent versions of Agent Tesla use several methods to impede sandbox and static analysis. In addition to the use of packers to obfuscate code, multistage malware installers also bring in components which, in some cases, are hosted in plain sight on legitimate websites. The installer also attempts to overwrite code in Microsoft AMSI so the software is not effective.
If the targeting of AMSI is successful, it disrupts endpoint protection software that depends on it, researchers explain in a writeup of their findings. And because this happens in early in the execution process, it blocks any AMSI protection against other components of the first-stage downloader, the second-stage loader, or the final Agent Tesla payload.
Telegram, Tor, and More Agent Tesla Tricks
Agent Tesla v3 expands the number of applications targeted for credential harvesting. Its current list includes Google Chrome, Firefox, OpenVPN, Opera, Yandex, Chromium, Outlook, OperaMail, SmartFTP, WinVNC4, WinSCP, and FTPNavigator. Agent Tesla bundles stolen credentials with the host fingerprint data and transmits them back to command-and-control (C2) once during execution.
"The motivation for using Agent Tesla is I can steal credentials for cloud services, I can steal credentials for business email, I can steal credentials for other email, and I can leverage those accounts for other purposes," Gallagher explains.
Both v2 and v3 of the malware can be configured to communicate over HTTP, SMTP, and FTP. V3 adds the Telegram chat protocol as an option for C2, so exfiltrated data can be sent to a private Telegram chat room. The Telegram chat protocol is one-way only.
With the Telegram protocol, attackers don't even need an email address to receive stolen data, Gallagher points out, noting he hadn't previously seen much Telegram usage among attackers.
"Telegram is the hot new C2," he quips. "It's something everyone is adding to their malware as an option." This upgrade to Agent Tesla makes it more appealing to attackers who don't want to operate a lot of infrastructure. For a long time, attackers used SMTP for C2 communication because it only requires an email account. The Telegram protocol option requires even less.
V3 also gives the option of using a Tor proxy to improve HTTP communications. If it's chosen in the configuration file, the malware downloads and installs a Tor client from the official Tor site. This would conceal communications, but it could also be a warning sign for security teams.
"If I was running an organizational network and saw computers that never used Tor going onto Tor network, that would be a big red flag for me," Gallagher says. Because victims may not have firewalls set up to block outbound Tor traffic, that's another concern.
Versions 2 and 3 also differ in their obfuscation. In v2, there is one function to decrypt all of the strings for execution. V3 has a separate function for every encrypted string, and it's a much more arduous task to reverse them all. The attackers' goal is to make it more difficult for customers to look at the actual content, and for people to view the source code, he adds.
As Malware Improves, Its User Base Grows
When Sophos first started observing Agent Tesla, it was primarily used against targets in the Middle East and India. Starting with v2, it appeared in Egypt and other EMEA counties, says Gallagher. Over time, it began to generalize more, likely based on the customers who began to use it. The latest batch has been seen in the United States, Western Europe, and Australia.
"This has gone from being a niche tool for a particular type of cyber scammer … to being a fairly broadly applicable tool," he notes. One of the reasons Agent Tesla likely upgraded the malware is because they were getting caught more often and having less success in getting it deployed.
The evolving maturity of off-the-shelf malware begs the question of how usage will continue to grow following the disruption of Emotet's infrastructure last week. While Gallagher doesn't believe the impact of Emotet's takedown will last long term, he does predict the malware market will continue to grow as developers continue to refine and sell their attack tools.
"The people who do this get better and better at it, [and] people tend to focus on a tool that works," he says.
Over time, we'll begin to see the emergence of dominant products in specific categories, such as credential theft, backdoors, and remote execution. There is already a market of commodity malware that is widely available, customizable, and that anyone can be trained to use, he adds, and there is a demand for reliable products among cybercriminals of all types.
"They're relying on tried-and-true products to provide the capabilities; the infrastructure for them to get in," says Gallagher. "They don't want to rebuild the wheel."