Agent Tesla | Old RAT Uses New Tricks to Stay on Top
As other researchers have recently noted, the Agent Tesla RAT (Remote Access Trojan) has become one of the most prevalent malware families threatening enterprises in the first half of 2020, being seen in more attacks than even TrickBot or Emotet and only slightly fewer than Dridex. Although the Agent Tesla RAT has been around for at least 6 years, it continues to adapt and evolve, defeating many organizations’ security efforts. During the COVID-19 pandemic new variants have been introduced with added functionality, and the malware has been widely used in Coronavirus-themed phishing campaigns.
Agent Tesla | Background & Overview
Agent Tesla is, at its core, a keylogger and information stealer. First discovered in late 2014, there has been steady growth in the use of Agent Tesla over the last 1-2 years. The malware was initially sold in various underground forums and marketplaces, as well as it’s very own AgentTesla.com site (now defunct) Agent Tesla, like many of its contemporaries, offered both the malware itself as well a management panel for administration and data collection and management. Information harvested from infected devices quickly becomes available for the attacker via the panel interface.
When originally launched, various ‘packages’ were available for purchase. Each package was basically differentiated by the license duration and build/update access. At the time, pricing was quite competitive with a 1 month license selling for $12.00 USD all the way up to 6 month licenses going for $35.00. It is also worth noting that, like many other tools of this nature, cracked and leaked versions of Agent Tesla were quick to appear.
Early versions of Agent Tesla also touted the full suite of features as one would expect to find in a modern RAT, including:
- Multi Language Support
- PHP Web Panel
- Automatic Activation upon payment (for direct customers)
- 24/7 support
- Stable and Fast execution
- Multiple delivery methods for keystroke logs, screenshots, and clipboard pulls
- Support for multiple Windows versions (XP upward)
Delivery Mechanism
Like many other threats, the primary delivery mechanism for Agent Tesla is email (phishing messages). Attackers are often timely with their social engineering lures, and the current pandemic is not off limits to the attackers. In the last few months, attackers have been observed spreading Agent Tesla via COVID-themed messages, often masquerading as information information or updates from the WHO (World Health Organization)
Actors behind Agent Tesla campaigns have also used malicious Office documents to facilitate first-stage delivery. Specially-crafted documents, exploiting Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570, have been leveraged, even in present day campaigns. These and similar exploits allow for quick delivery and execution with minimal user interaction (beyond opening the malicious documents and allowing active content to proceed)
Feature Set of New Agent Tesla Variants
Over time, additional features have been added to Agent Tesla. These improvements include more robust spreading and injection methods as well as discovery and theft of wireless network details and credentials.
Currently, Agent Tesla continues to be utilized in various stages of attacks. Its capability to persistently manage and manipulate victims’ devices is still attractive to low-level criminals. Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and Email clients, and Web Browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files. Our analysis of a swatch of current Agent Tesla samples reveals the following list of targeted software:
- 360 Browser
- Apple Safari
- Becky! Internet Mail
- BlackHawk
- Brave
- CentBrowser
- CFTP
- Chedot
- Chromium (general)
- Citrio
- Claws Mail
- Coccoc
- Comodo Dragon
- CoolNovo
- CoreFTP
- CyberFox
- Elements
- Epic Privacy
- FileZilla
- FlashFXP
- Flock
- Google Chrome
- IceCat
- IceDragon
- IncrediMail
- Iridium
- KMeleon
- Kometa
- Liebao
- Microsoft IE & Edge
- Microsoft Outlook
- Mozilla Firefox
- Mozilla Thunderbird
- OpenVPN
- Opera
- Opera Mail
- Orbitum
- PaleMoon
- Postbox
- QIP Surf
- Qualcomm Eudora
- SeaMonkey
- Sleipnir 6
- SmartFTP
- Sputnik
- Tencent QQBrowser
- The Bat! Email
- Torch
- Trillian Messenger
- UCBrowser
- Uran
- Vivaldi
- WaterFox
- WinSCP
- Yandex
Harvested data is transmitted to the C2 via SMTP or FTP. The transfer method is dictated per the malware’s internal configuration, which also includes credentials (FTP or SMTP) for the attacker’s C2.
Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts.
For example, as we see in sample 4007480b1a8859415bc011e4981f49ce2ff7a7dd7e883fe70d9f304cbfefedea, a copy of RegAsm.exe (dropped into %temp%) is subsequently injected into. That new instance of RegAsm.exe is then responsible for handling the brunt of the malicious activity (data harvesting, exfiltration). We can also see frequent use of ‘Process Hollowing’ as an injection method. Process Hollowing allows for the creation or manipulation of processes through which sections of memory are unmapped (hollowed) with that space then being reallocated with the desired malicious code.
Some examples get a litte less creative with regards to process creation and subsequent injection. For example, in sample b74bcc77983d587207c127129cfda146644f6a4078e9306f47ab665a86f4ad13, we can observe it creating hidden folders and processes in %temp%, and using those hidden process instances for the primary infection routines, and as the persistent process (set via Registry)
Para el ver artículo original: https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/
Últimos Artículos
