Report Reveals More Information about Stealer Malware

By Emma Okonji

The latest Sophos research has exposed a seven-year-old information stealer that spreads through malicious email spam and remains a powerful threat to companies and organisations.

According to the report, the malware, called ‘Agent Tesla’ had been active for more than seven years, yet it remained one of the most common threats to Windows users.

Senior Security Researcher at Sophos, a global IT Security Company, Sean Gallagher, said: “The most widespread delivery method for Agent Tesla is malicious spam attachments. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised.

“Organisations and individuals should, as always, treat email attachments from unknown senders with caution, and verify all attachments before opening them.”

The report noted that Agent Tesla would steal information from web browsers, email clients, virtual private network clients, and other software that stores usernames and passwords, and could capture keystrokes while users are typing, for example entering their password, and record screenshots, so it can see what is on their screen.

The more recent version of the info-stealer can use the Telegram messaging service to communicate with its operators, as well as a software program called Tor that is very popular on the dark web to hide activity like the removal of stolen data.

It also tries to alter software code to block security protection.

The report said a variety of attackers use the malware to steal user credentials and other information from victims through screenshots, keyboard logging, and clipboard capture.

“Since the malware’s compiler hard-codes operator-specific variables at build time, Agent Tesla behavior can vary widely-and the malware continues to evolve. Recent changes increased the number of applications targeted for credential theft, including web browsers, email clients, virtual private network clients, and other software that store user names and passwords. The evolution of the tool also extends to its delivery package, with one version that now targets Microsoft’s Anti-Malware Software Interface (AMSI) in an attempt to defeat endpoint protection software,” the report said.

According to Gallagher, SophosLabs tracked multiple actors using Agent Tesla, including the ones behind the RATicate campaigns we began investigating in November of 2019. We’ve continued to see new variants in a growing number of attacks over the past 10 months; as recently as December 2020, Agent Tesla accounted for 20 per cent of malware email attachments detected in Sophos customer telemetry.

The Sophos report looked at the two currently active versions, which it identified as Agent Tesla version 2 and version 3. The differences between the two demonstrate how the Remote Access Trojan (RAT), has evolved, employing multiple types of defense evasion and obfuscation to avoid detection-including options to install and use the Tor anonymizing network client, and the Telegram messaging API, for command and control communications.

“The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more control communications options to their attacker customers,” the report added.

Related Articles