| Name | Agent Tesla |
| Type of Malware | RAT |
| Location – Country of Origin | Turkey |
| Date of initial activity | 2014 |
| Associated Groups | Agent Tesla has been used by a variety of threat actors, including APT1, APT10, and APT15. |
| Motivation | Agent Tesla can steal data such as credentials from browsers, FTP clients, and wireless profiles, but its most common use case is to secure initial access that can be sold on the Dark Web. Although Agent Tesla’s native second-stage capabilities are not as sophisticated as those of other malware families, it can effectively steal a wide array of sensitive information. It also provides attackers with an easy-to-use interface to monitor the attack process and download stolen information, making it an attractive choice of malware for IABs. |
| Attack Vectors | Phishing emails |
| Targeted System | Windows |
Overview
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host. The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.
Targets
The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.
Tools/ Techniques Used
As first-stage malware, Agent Tesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware. Agent Tesla delivers emails attached with .zip, .gz, .cab, .msi and .img files and Microsoft Office documents with malicious Visual Basic Application (VBA) macros to compromise victim systems. Agent Tesla phishing campaigns are notorious for precisely replicating a legitimate company’s communication tone and visual template, including logos and fonts. Once its primary payload has been downloaded and executed on the target’s system, Agent Tesla evaluates the local system environment to determine if debugging, virtualization, or sandboxing tools are present. It only continues to decrypt subsequent components of its primary payload if malware analysis tools aren’t present. Next, the malware connects to a C2 server to notify the attacker that a new victim is available for further exploitation.
Impact / Significant Attacks
COVID-19 PPE-themed phishing campaigns
Indicators of Compromise (IoCs)
Domains
Mail[.]euroinkchemical[.]ro
mail[.]nobilenergysolar[.]com
SHA256 Hashes
Initial Infection File
7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45
XLL Droppers
fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12
Final Agent Tesla Payload
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
