It may be unsophisticated but the Agent Tesla RAT is “street-wise,” adapting and evolving just enough to wreak havoc on organizations’ security efforts.
Recent improvements to the malware include more robust spreading and injection methods, as well as discovery and theft of wireless network details and credentials, according to an analysis by SentinelOne. Expanding its palette, Agent Tesla now can harvest configuration data and credentials from common VPN clients, FTP and email clients, and web browsers, exhibiting an ability to extract credentials from the registry as well as related configuration or support files.
“When combined with timely social engineering lures, these non-sophisticated attacks continue to be successful,” Jim Walter, SentinelOne’s senior threat researcher, wrote in an blog post that provided screenshots and specific code for injection drops. “Detection and prevention are key to reducing exposure to these threats.”
Noting that Agent Tesla “at its core is a keylogger and information stealer,” Walter said in the past two years, Agent Tesla has been observed in more attacks than TrickBot or Emotet, and only slightly fewer than Dridex, according to SentinelOne, with a sharper uptick since the beginning of 2020.
Like other malware, Tesla RAT has added COVID-19 to its many themes, coaxing email recipients in phishing campaigns with the promise of useful information on the pandemic.
“In the last few months, attackers have been observed spreading Agent Tesla via COVID-themed messages, often masquerading as information information or updates from the WHO (World Health Organization),” said Walter.
Operators, who initially sold the Agent Tesla on dark web marketplaces, forums and a now-defunct dedicated website, offer the RAT as part of various packages that make attacks easier to executive. The packages are priced competitively, offering, for example, a one-month license of $12, two months for $25, and six months for $35. As with most illicit trade, Agent Tesla has found itself competing with pirates’ leaked versions, SentinelOne’s analysis showed.
In addition to the RAT itself, a package typically contains a management panel that helps attackers with administration and manage data harvested from infected devices.
As with any legitimate software, early versions of Agent Tesla provided users with 24/7, multi-language support; PHP panel; automatic activation upon payment; multiple delivery methods for keystroke logs, screenshots and clipboard pulls; and support for multiple Windows versions (XP and later).
SentinelLabs tracked Agent Tesla as attackers phished potential victims with malicious Office documents to facilitate first-stage delivery, exploiting Office vulnerabilities like CVE-2017-11882 and CVE-2017-8570.