A Trojan dubbed as ‘Agent Tesla’ is using new evasive techniques to disable endpoint protection before they deliver the malware and install and run the payload, according to a recent report by Sophos.
In its new research, ‘Agent Tesla Amps Up Information Stealing Attacks,’ Sophos revealed that the Trojan’s techniques feature a multi-stage process where a .NET downloader grabs chunks of malware from legitimate third-party websites such as pastebin and hastebin – where they are hosted in plain sight – and then joining, decoding and decrypting the chunks to form the loader that carries the malicious payload.
SEE ALSO: Sophos recognised as an authority for identifying cybersecurity vulnerabilities
At the same time, the malware attempts to alter code in Microsoft’s Anti-Malware Software Interface (AMSI) – a Windows feature that enables applications and services to integrate with installed security products – so that AMSI-enabled endpoint security protection doesn’t work, and the payload can download, install and run without being blocked.
Agent Tesla is a widely used information stealer and Remote Access Tool (RAT), known since 2014. The creators advertise it for sale on dark-web forums and constantly update it. Attackers generally distribute the malware through malicious spam emails as an attachment.
“Agent Tesla malware has been active for more than seven years, yet it remains one of the most common threats to Windows users. It has been among the top malware families distributed via email in 2020. In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners,” said Sean Gallagher, senior security researcher, Sophos. “A variety of attackers use the malware to steal user credentials and other information from targets through screenshots, keyboard logging and clipboard capture.
YOU MIGHT ALSO BE INTERESTED IN: Emotet: International authorities take down world’s most dangerous malware
“The most widespread delivery method for Agent Tesla is malicious spam—such as the emails we highlighted in our RATicate research. Sophos believes that cybercriminals will continue to update the malware and modify it to evade endpoint and email protection tools. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised. Organisations and individuals should, as always, treat email attachments from unknown senders with caution, and verify all attachments before opening them.”
Sophos recommend IT administrators to do the following:
- Install an intelligent, security solution that can screen, detect and block suspicious emails and their attachments before they reach users
- Implement the recognised authentication standards to verify emails are what they claim to be
- Educate employees to spot the warning signs of suspicious emails and what to do if they encounter one
- Advise users to double check that emails come from the address and the person they claim to
- Advise users to never open attachments or click on links in emails from unknown senders
