Agent Tesla - How Does It Work in 2023?

Agent Tesla

March 13, 2023

Agent Tesla is able to track and collect keystrokes, take screenshots, and obtain credentials used in various system applications (eg Google Chrome, Mozilla Firefox, Microsoft Outlook, IceDragon, FILEZILLA, etc.)

Agent Tesla (hereinafter referred to as malware) is a remote-access trojan that is active for a long period of time. It was first spotted in 2014, and through the years seen the usage for different purposes. Offering a wide range of functions of a backdoor, this malware showed up multiple times in cyberattacks on corporations. However, it works well on single users, as it was proven over the last few years. It is an advanced remote access trojan (RAT) written in languages ​​used in Microsoft .Net (C#, Visual Basic .NET, C++/CLI, etc.).

Currently, the SSP is able to track and collect keystrokes, take screenshots, and retrieve credentials used in various system applications (e.g. Google Chrome, Mozilla Firefox, Microsoft Outlook, IceDragon, FILEZILLA, etc.). Agent Tesla appeared in 2014 and since then served as a keylogger and password stealer. This spyware is commercial, a license for its use can be purchased on the developers' website (it is indicated that Agent Tesla should be used only within the limits defined by law).

Pricings for Agent Tesla RAT (screenshot from one of the sites that is closed at the moment)

The data that Agent Tesla transmits to attackers from an infected device is encrypted with the Rijndael algorithm (Advanced Encryption Standard (AES), a symmetric block encryption algorithm) and further encoded with a non-standard base64 function. The information transmitted to the command and control (C&C) server is constantly updated, according to the set timer, as well as the program itself, when updated, the previous instance is destroyed.

Various network protocols are used to transfer data to the command and control server, namely SMTP, HTTP, and FTP. To identify an infected device, the command-and-control server transmits such identifiers as computer name, user name, drive serial number, and others. A dynamic address change mechanism is used to determine the address/domain name of the command and control server. For stable and constant work in the system, Agent Tesla is registered in autoload, registry, and task scheduler.

Received Agent Tesla samples

Agent Tesla distribution

Pretty much any malware that had such a long lifecycle should have numerous adjustments to its spreading tactic. However, that is not a story about Agent Tesla. These days, in 2023, it spreads with the same email spam as it did at the very beginning. But such a situation is rather related to the way the world around me changed. While in 2014-2019 email phishing was not very efficient, the pandemic of 2020 gave a punch to the use of lettering for notifications, work communication, and so on. One may say, Agent Tesla developers foreseen the future and opted for one of the most prevalent ways of spreading nowadays 8 years ahead of its actual time.

The way this malware gets to its owners is also not typical for regular malware. Instead of shady Darknet deals or taking part in the affiliate programs, you can simply buy it from their website. Of course, its address is changing constantly, so it is not as easy as buying the Netflix subscription. Key ways the actual address is promoted are hackers’ forums. The site tries to look utterly legit, but the description of Agent Tesla functionality clearly points at its malignant nature. It also features a Discord server dedicated exclusively to selling this RAT. After purchasing, clients receive access to a full-fledged admin panel.

Administrative panel of Agent Tesla RAT

How does Agent Tesla work?

RATs that aim at data stealing are generally designed to remain as stealthy as possible. The more time they will remain within the system – the more valuable data they will possibly access. First of all, Agent Tesla aims at getting into the system in a manner that should raise no suspicion. This lays upon the shoulders of ones who spread it – and they do this perfectly fine. In most cases this malware is delivered through spear phishing, so the victim thinks it is dealing with a routine correspondence or an expected letter. Such a phishing email commonly contains a MS Word or Excel file, which asks to enable macros execution right after opening it. The most common breach among numerous ones present in MS Office is Equation Editor’s vulnerability CVE-2017-11882.

The example of an Excel file that asks you to enable macros execution

Once you allow the macros execution, eqnedt32.exe (the aforementioned Equation Editor) connects to a command and control server and gets the payload. Common place for the Agent Tesla file is the Temp folder in the user’s directory. Actually, the file that initially arrives at a target system has seemingly nothing related to the threat. However, two unpacking stages sets it up for work. First, the initial file goes through deobfuscation and launches the representative.dll library. As we witnessed during the Agent Tesla code analysis, it contains chaotically added “@” symbols and “000” sequences throughout pretty much every section.

In the process of operating with representative.dll, malware creates ResourceManager and then collects the information from the ApplicationTru bitmap image, present inside of the initial file. This image contains the PE file which contains instructions for loading the other DLL, called CF_Secretaria.dll. This library is known for being used by different other malware in order to gain persistence in the infected environment. After finishing the decryption process, representative.dll loads the CF_Secretaria.dll to the memory and grants it control over the further actions. The latter is executed using the CallByName function.

This DLL is obfuscated as well, with a massive usage of UTF8 encoding. It proceeds once again with creating ResourceManager. Using it, DLL reads another two PE files that contain the final payload and decryption key correspondingly. Once the payload is decrypted successfully, it gets hollowed into the original executable file, and there malicious action begins. After the hollowing, the file receives a new, completely random name.

Agent Tesla data stealing process

As we stated above, Agent Tesla gathers a wide range of information regarding the attacked system. Among them are computer name, DNS client, domain, TCP hostname and parameters. This actually happens immediately after the malware launch. But before running, malware also performs the geolocation checkup, likely to weed out launches in the banned regions. The next stage of this attack involves scanning the system for browsers that can act as a source of data. Overall, this infostealer looks for 26 names.

After locating the browsers, it goes to their directories and seeks for a login data file. They’re generally stored in an encrypted form or as a hash. Malware will take it either, regardless of its form. Cookies are yet another target of Agent Tesla. They can easily contain information about login and password, thus stealing and decrypting them may be a rather profitable deed.

The action that follows digging in the browsers’ guts may differ depending on the presence of different application software. For example, Agent Tesla is capable of obtaining the credentials for MS Outlook, regardless of the used connection protocol. Another typical target is OpenVPN and NordVPN – malware gets into the config files and retrieves the login credentials. If any FTP clients are present, it tries to get the login information from them as well.

As a bonus, infostealer is capable of logging the keystrokes and making screenshots. After gathering all the data that may be interesting for the threat actor, it encrypts the resulting package and communicates with its C&C via TOR client. If the latter is not present in the system at the moment of action, it can download it directly from the official TOR website. To send the data, it uses email messages that have the computer configuration as a title.

How to avoid infection by Agent Tesla?

Similar to other malware that bears upon email spam as a distribution method, Agent Tesla may be prevented from breaking into your system by your attentiveness. Looking thoroughly at the email body and remembering if you’re waiting for something will not be enough though. As it was mentioned, the vast majority of Agent Tesla cases are related to spear phishing. This is a sophisticated tactic that often relies on getting extended information about the victim. The latter is generally done with the use of OSINT practices in your social networks and even personal messages. Hence, you should apply a way more broad list of actions to stay safe.

Be attentive to the emails. “Not enough” does not mean “not needed”. The fact that spear phishing is way more complicated and realistic requires even more attention. You should check out the things that are not obvious, and even think about the behaviouristic side of a problem. Why does this notice appear? Why did your colleague suddenly decide to resend the document that was OK from the beginning? Ask yourself such questions each time you see a questionable message.

Email message that tries to look legit and contains what looks like a genuine invoice.

Another side of check-up is email address. Spear phishing will definitely not use random emails. To have a convincing appearance, crooks create an address that tries to be as close to the genuine one as possible. At a glance, [email protected] may look as a legit Uber support address. However, Uber generally uses email addresses from its own domain – uber.com. Same story may happen with Amazon, Ebay, Microsoft and any other well-known brand. Consider visiting their sites in order to find the list of genuine email addresses, or contacting them directly to ask if the message is genuine. May look like too much fuss around a simple email, but taking care of your privacy is never too much.

Avoid launching macros. Most email phishing attempts rely on tricking the recipient into opening the attached file and running the embedded macros. Numerous vulnerabilities macros have made it possible to deliver malware to the system without triggering the security system. Windows have their execution disabled by default, but both email letter and the contents of the attachment will try to convince you to enable them. Don’t bait on these messages, and even if you deliberately enabled them for a benevolent reason – disable them as soon as possible. Once enabled, they will execute malicious code in the attachment right after you’d try to open it.

Try to minimise operations under Administrator privileges. There’s a stereotypical habit typical for a great number of users – setting up your Windows account with administrator privileges. They are not needed that much these days – in the cases when a certain program really requires these rights, you can simply type the admin password. Having an administrator account means giving malware a chance to execute in the background silently. Meanwhile, with a user account, you will receive a notification and privileges escalation request, which will reveal you the suspicious activity. That is not a panacea, as malware can find the way to escalate privileges circumventing your approval, but will reduce the dynamics and thus give you more time to detect malware.

User Account Control (UAC) will request your password each time a program needs administrator privileges

Use decent anti-malware software. Multiple layers of obfuscation and encryption allow Agent Tesla to squeeze through a great number of anti-malware software without being detected. In fact, to stop such sophisticated malware you should apply the tools that have the most advanced detection methods. GridinSoft Anti-Malware features three different systems that can provide the required protection. Signature-based detection, an alpha and omega of all antiviruses, is complemented with heuristic detection and neural engine. Acting jointly, they can detect and neutralise even the newest malware samples.

Agent Tesla Indicators of compromise (IoC) in 2023

Hashes

SHA256: 549BD25AE59EA6BD846D4ADE0CFDA021A48D887BA83209BD651A8F754E0B3419
SHA256: FFA7EDD5252C336F515FA20A38614FB21D69AEA7A282BAA24A7B91FED8962831
SHA256: 4C5FED31576F3794C65C90668DA4380AE9F16B6552EB2E820D8A7FB1CC98E89F
SHA256: 73C2ED14D89BC88F0F44F81DE2125BCDF509AE678F8E547815BF88B100C7D164
SHA256: FD5162D43BAB3B520E5EE2277360563D33C120C595DE366B3F32BA2AE19256B1
SHA256: 7F2FF2707522F96EA98A858BB895BCF72B9FDC1F457FD5AB892312BEE7DD6882
SHA256: DA935E2D8D4F241EAEFA9E024AD88A6A02B3F39196E0A169F477D3B5638884B0
SHA256: A6189C5B3ADA0B652E4AC87C3ED67A64AC16C6FD8F73EF650D5A6193DF8BF8AF
SHA256: F1F0AD851087C3FA057D82028FD5242AF6D73D6F5CF89BDF207E414EA952DF04
SHA256: E42292302FA24020BDFB2650FEB315D1C075D81A10BE0C7993A5915EFA5C1979
SHA256: EB13648DBA7AD4A185D571C8048C06A893266AE850516A6B5DB246E56B619D3A
SHA256: 3BC13222DDA2108AB44AF85D1F9BF9E0FE67524E15D409FE07B68BB5D08B1576
SHA256: 462A9BA6A6E7D76FE7271FE4F5E77C70362FA0E103E559433A88B0D79264A131
SHA256: 14ED7CFBBFF1D50464680875332052A04A19E55519B83A88749B6A2AE8D6D883
SHA256: D3DF2BDBC9BC3062D1432C39ACB8D3340B33424BA2A1D4AAE43D762AF636DC5C
SHA256: 18E15B5D7924548AF144CF5449EDA73C8D67C093A6C945AC00DB6DE533FF13DB
SHA256: FB948365420FB40A1F19FDB12B15670C15B1EB8626D6E12F792184683E72B557
SHA256: E20D7D444AD9CE30CC4ECE0D516A4CADA39B67A999CC5854A7F7FFB4F3EDBF9C
SHA256: 5C3DB7A9AEFC84E986C525B61473A8A9CCA36AFA979935FB66CB34F32F7D204E
SHA256: 980572025579FF98C1AB84AA8C0C045E075D174BC5BB166E2694590C98F90A54
SHA256: 8A1605166FE27BC789442FAC3CCD1520C6F7EC4E66249FF3ED38E9D836BA29BB
SHA256: 9705354879B69702831083E4C3113E7F61C2D33A8EFF41A73C7C1CA678DF9588
SHA256: 3B5DE5724EE7AB07F0FF37EF5E719AFE8E98527CF8CC29DBB4B9FE4C198014BF
SHA256: 6DD20082FAF4C07F30A39327695EC299B02431C6C80F7FDB93B7DE163CF4581A
SHA256: 80D6B393B61DDA91362A0A079FB834CC07BE6740E6ACA88FD94103296E0200D0
SHA256: A364A507073EE4D773DE8EB2F05B7033EFEFB192A873930FBAB354992DAD08C3
SHA256: B28F6EDBE799C315DF12CB36ACEDBE68B1C789B91B4977584E352D5147DDB702
SHA256: FDFB19C529C28DC9B79F55A39A51A47DC1466EF230918023EE4B29F3EAB7B1F5
SHA256: 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA256: 67F459D9530512EA4407AFA0049CE95FD963C618DA1046E7580362BDB3ED91DD
SHA256: 56A61925BEE931749416572822537DA2226BF5348E3173A6E25BBB826014DBE4

IP addresses

URLs