Agent Tesla | |
Type of Malware | Trojan |
Targeted Countries | Australia |
Date of Initial Activity | 2014 |
Associated Groups | Bingosa |
Motivation | Espionage |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Overview
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host. The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.
Targets
The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.Tools/ Techniques Used
As first-stage malware, Agent Tesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware. Agent Tesla delivers emails attached with .zip, .gz, .cab, .msi and .img files and Microsoft Office documents with malicious Visual Basic Application (VBA) macros to compromise victim systems. Agent Tesla phishing campaigns are notorious for precisely replicating a legitimate company’s communication tone and visual template, including logos and fonts. Once its primary payload has been downloaded and executed on the target’s system, Agent Tesla evaluates the local system environment to determine if debugging, virtualization, or sandboxing tools are present. It only continues to decrypt subsequent components of its primary payload if malware analysis tools aren’t present. Next, the malware connects to a C2 server to notify the attacker that a new victim is available for further exploitation.
Impact / Significant Attacks
COVID-19 PPE-themed phishing campaigns
