|Type of Malware||RAT|
|Location – Country of Origin||Turkey|
|Date of initial activity||2014|
|Associated Groups||Agent Tesla has been used by a variety of threat actors, including APT1, APT10, and APT15.|
|Motivation||Agent Tesla can steal data such as credentials from browsers, FTP clients, and wireless profiles, but its most common use case is to secure initial access that can be sold on the Dark Web. Although Agent Tesla’s native second-stage capabilities are not as sophisticated as those of other malware families, it can effectively steal a wide array of sensitive information. It also provides attackers with an easy-to-use interface to monitor the attack process and download stolen information, making it an attractive choice of malware for IABs.|
|Attack Vectors||Phishing emails|
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host. The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.
The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.
Tools/ Techniques Used
As first-stage malware, Agent Tesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware. Agent Tesla delivers emails attached with .zip, .gz, .cab, .msi and .img files and Microsoft Office documents with malicious Visual Basic Application (VBA) macros to compromise victim systems. Agent Tesla phishing campaigns are notorious for precisely replicating a legitimate company’s communication tone and visual template, including logos and fonts. Once its primary payload has been downloaded and executed on the target’s system, Agent Tesla evaluates the local system environment to determine if debugging, virtualization, or sandboxing tools are present. It only continues to decrypt subsequent components of its primary payload if malware analysis tools aren’t present. Next, the malware connects to a C2 server to notify the attacker that a new victim is available for further exploitation.
Impact / Significant Attacks
COVID-19 PPE-themed phishing campaigns
Indicators of Compromise (IoCs)
Initial Infection File
Final Agent Tesla Payload