Since COVID-19 cast its pall in March, the Agent Tesla remote-access trojan (RAT) has exploited the pandemic and added a raft of functionality that has helped it dominate the enterprise threat scene.
Though Agent Tesla first made a splash six years ago, it hasn’t lost any momentum – in fact, it is featured in more attacks in the first half of 2020 compared to the infamous TrickBot or Emotet malware, according to SentinelOne’s SentinelLabs. In April for instance, it was seen in targeted campaigns against the oil-and-gas industry.
This continued success in attacking businesses is thanks to its continued ability to adapt to the latest cyber-landscape, the firm noted, with a fresh passel of variants appearing over the course of the year so far. It has most recently been spreading via coronavirus-themed phishing campaigns, Jim Walter, senior threat researcher at SentinelOne, noted in research issued on Monday.
Historically specializing in keylogging and data-stealing, Agent Tesla’s new binaries offer “more robust spreading and injection methods as well as discovery and theft of wireless network details and credentials,” Walter wrote.
Further, it’s now able to harvest configuration data and credentials from a number of common VPN clients, FTP and email clients and web browsers, the researcher said. This includes Apple Safari, BlackHawk, Brave, CentBrowser, Chromium, Comodo Dragon, CoreFTP, FileZilla, Google Chrome, Iridium, Microsoft IE and Edge, Microsoft Outlook, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, Opera, Opera Mail, Qualcomm Eudora, Tencent QQBrowser and Yandex, among others.
“The malware has the ability to extract credentials from the registry as well as related configuration or support files,” Walter explained. “Harvested data is transmitted to the command-and-control (C2) via SMTP or FTP. The transfer method is dictated per the malware’s internal configuration, which also includes credentials (FTP or SMTP) for the attacker’s C2.”
Another new trick for this old RAT is the fact that variants will now fetch secondary executables to install onto a victim’s machine, and then inject code into those second-stage binaries – as an evasion-detection method. The variables will also attempt to inject into known (and vulnerable) binaries already present on targeted hosts.
In one campaign, Walter’s team observed Agent Tesla dropping a copy of RegAsm.exe and injecting additional code into it; subsequently, RegAsm.exe became responsible for handling the main jobs of data-harvesting and exfiltration. The injection is done using process hollowing, the research noted, in which which sections of memory are unmapped (hollowed) with that space then being reallocated with the desired malicious code.
Other improvements can be seen in the malware’s execution behavior. Upon launch, the malware gathers local system information, installs the keylogger module and initializes routines for discovering and harvesting data. Part of this process includes the ability to discover wireless network settings and credentials.
“Agent Tesla has been around for several years now, and yet we still see it utilized as a commodity in many low-to-mildly sophisticated attacks,” Walter concluded. “Attackers are continually evolving and finding new ways to use tools like Agent Tesla successfully while evading detection.”
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.