A new variant of the Agent Tesla malware has been discovered in a phishing campaign, according to researchers at FortiGuard Labs. This malware is known for its ability to steal credentials, keylogging data, and active screenshots from a victim’s device. The stolen data is then transferred to the malware operator through email or the SMTP protocol. The main targets of this malware are Windows devices.
Agent Tesla is not a new name in the malware world. It is a notorious malware family that has been around for some time. In fact, it is also offered as a Malware-as-a-Service tool, allowing even less experienced threat actors to use it for their malicious activities. The malware variants primarily use a data stealer and a .NET-based RAT (remote access trojan) to gain initial access to targeted devices.
The new Agent Tesla variant has been observed in a phishing campaign that tricks users into downloading the malware. The phishing email masquerades as a Purchase Order notification from an industrial equipment supplier. It contains a malicious MS Excel attachment with the filename Order 45232429.xls. The document is in OLE format and contains crafted equation data that exploits an old security vulnerability known as CVE-2017-11882/CVE-2018-0802. This vulnerability causes memory corruption in the EQNEDT32.EXE process and allows arbitrary code execution through a method called ProcessHollowing. In this method, a hacker replaces the executable file’s code with malicious code.
The malware uses a shellcode to download and execute the Agent Tesla file (dasHost.exe) from a specific link. The downloaded file is a .NET program protected by IntelliLock and .NET Reactor. To avoid detection and analysis, the relevant modules of the malware are encrypted/encoded in the Resource section.
It is noteworthy that Microsoft released fixes for the CVE-2017-11882/CVE-2018-0802 vulnerability in 2017 and 2018, respectively. However, many devices remain unpatched, allowing threat actors to exploit this vulnerability to infect Windows devices. According to FortiGuard Labs, they observe around 1300 vulnerable devices daily and mitigate thousands of attacks at the IPS level per day.
Once the malware infects a device, it starts stealing stored credentials from various applications and email clients. The list of targeted software and email clients is quite extensive and includes popular web browsers, email clients, and FTP clients, among others. The malware also sets a keyboard hook to monitor low-level keyboard inputs and steals information whenever the victim types something on the device. It sends the stolen information to the attacker via SMTP.
To maintain persistence on the infected device, Agent Tesla malware employs two methods. It either creates a task in the TaskScheduler system or adds an auto-run item in the system registry. These methods ensure that the malware executes every time the system restarts.
To protect against such phishing campaigns, users are advised to be vigilant and suspicious of any email that asks for personal or financial information. Phishing emails often try to trick users into giving up their passwords, credit card numbers, or other sensitive information. It is also essential to keep software up to date, as software updates often include security patches that can protect against malware. Using a strong antivirus and anti-malware program, being cautious about clicking on links, and using a spam filter can also help reduce the risk of falling victim to phishing campaigns.
In conclusion, the discovery of a new variant of the Agent Tesla malware in a phishing campaign highlights the ongoing threat of phishing attacks and the exploitation of old vulnerabilities. Users must remain vigilant and take necessary precautions to protect themselves and their devices from such threats.