Agent Tesla Trojan can evade endpoint protection, Sophos reports
Cybercriminals and threat actors continue to hone a particularly pervasive and nasty Trojan nicknamed ‘Agent Tesla’, with new evidence suggesting that it can now disable endpoint protection before delivering its wares.
Researchers at Sophos have been tracking the evolution of Agent Tesla, which originally surfaced in 2014. It is widely available on criminal marketplaces, and continues to evolve. It is generally spread through spam emails with attachments.
There are currently two versions of the Trojans currently in the wild, both of which are able to steal credentials from email clients, virtual private network clients, software, and web browsers. They can also record screens and capture keystrokes.
But there are also key differences between the two, such as leveraging the Tor anonymising network client, and Telegram messaging API for command and control.
Sophos explains how the Trojan evades endpoint protection:
“The techniques feature a multi-stage process where a .NET downloader grabs chunks of malware from legitimate third-party websites such as pastebin and hastebin – where they are hosted in plain sight – and then joining, decoding and decrypting the chunks to form the loader that carries the malicious payload.”
“At the same time, the malware attempts to alter code in Microsoft’s Anti-Malware Software Interface (AMSI) – a Windows feature that enables applications and services to integrate with installed security products – so that AMSI-enabled endpoint security protection doesn’t work, and the payload can download, install and run without being blocked.”
According to Sophos senior security researcher Sean Gallagher, Agent Tesla is one of the most common Windows-based threats. He says Agent Tesla was one of the top malware families that were delivered by email last year.
“In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners. A variety of attackers use the malware to steal user credentials and other information from targets through screenshots, keyboard logging and clipboard capture.”
Criminals will continue to update Agent Tesla so that it better evades endpoint and email protection tools.
“The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised. Organizations and individuals should, as always, treat email attachments from unknown senders with caution, and verify all attachments before opening them," says Gallagher.
Sophos recommends that IT administrators:
- Install an intelligent, security solution that can screen, detect and block suspicious emails and their attachments before they reach users
- Implement the recognised authentication standards to verify emails are what they claim to be
- Educate employees to spot the warning signs of suspicious emails and what to do if they encounter one
- Advise users to double check that emails come from the address and the person they claim to
- Advise users to never open attachments or click on links in emails from unknown senders