Researchers may have tracked down the threat actor behind the illusive Agent Tesla malware strain that has recently seen a surge in popularity.
KrebsOnSecurity traced the WordPress site domain which originally sold the malware to a man from Antalya, Turkey named Mustafa can Ozaydin and an email address used by a Turkish individual of the same name. The email address linked to a YouTube channel containing a video instructing users how to install an Agent Tesla control panel to keep track of systems infected with the malware.
Researchers also found various other social media pages with similar profile pictures that may belong to Ozaydin which don’t mention the malware but various IT related activities.
While the easy-to-use password stealing program Agent Tesla is functionally no different from more mainstream “remote administration tools” like GoToMyPC, VNC, or LogMeIn though it has a multitude of features designed to help it remain undetected on host computers.
The site currently selling Agent Tesla explicitly states that the software is not a malware and is strictly “for monitoring your personel [sic] computer” while emphasizing that any users caught doing otherwise will have their software licenses revoked and subscriptions canceled.
Researchers, and law enforcement, take issue with these claims considering the Agent Tesla Web site’s 24/7 technical support is full of support personal instructing purchasers on how to evade antivirus detection, exploit software vulnerabilities to deploy the product, and secretly bundle the program inside other file types such as images, text, audio and even Microsoft Office files.