Agent Tesla's Added New Tools & Tactics to Its Arsenal

Agent Tesla’s Added New Tools & Tactics to Its Arsenal

The persistent search for money and the threat actors increasingly becoming more sophisticated are driving the alarming rate of malware change.

Every day, new types of malware are created and put into circulation at an unusual speed, using modern tricks to avoid discovery and overcome security systems, while taking advantage of the most recent system vulnerabilities.

Cybersecurity researchers at Trustwave recently identified that the operators of Agent Tesla added new tools and tactics to its arsenal.

To deliver and perform malicious activities that facilitate criminal actions, threat actors necessitate malware loaders.

These loaders use sophisticated evasion techniques to evade security measures and take advantage of different distribution networks.

On March 8th, 2024, a phishing email was identified by SpiderLabs which set off an infection chain resulting in Agent Tesla being deployed.

The infection began when a phishing email posed as a bank payment notification and delivered an obfuscated, polymorphic loader.

To avoid detection, this loader fetched its payload through proxies using different URLs and user agents before executing the Agent Tesla infostealer in memory.

All data was stolen by Agent Tesla which then sent it through hacked email accounts for secret communication purposes.

Infection chain (Source - Trustwave) — Infection chain (Source – Trustwave)

The attack employs a phishing email with a malicious .tar.gz attachment masquerading as a bank payment receipt.

It contains a polymorphic .NET loader that obfuscates and encrypts its configuration data using different decryption routines across variants.

The loader decrypts strings by index-based matching of encrypted data with keys.

It evades detection through techniques like packing, obfuscation, memory permission modifications, and AMSI bypassing.

Key terms reveal it reflectively loads further payloads from a URL specified in the encrypted configuration, reads the report.

To facilitate stealthy payload execution, the loader bypasses AMSI, prepares memory space, and retrieves the payload from a specific URL using a defined user-agent string.

One variant employs an open-source proxy list for obfuscated payload delivery.

The loader extracts the encoded payload from HTML using delimiters, decrypts it via XOR with an embedded key, and reflectively loads the Agent Tesla infostealer into memory by invoking its entry point – all while avoiding disk artifacts for evasiveness.

Agent Tesla is a memory-resident info stealer that conducts keystroke logging, credential theft, and data exfiltration via SMTP, often leveraging compromised email accounts for stealthy communication.

This new Agent Tesla variant employs a .NET loader using deceptive attachment phishing, obfuscation, polymorphic decryption, AMSI bypassing, and reflective loading for evasive payload execution solely in memory.

The versatile loader’s evolution suggests the potential for deploying other malware payloads beyond just Agent Tesla going forward.