As with Netwire, Agent Tesla is an old acquaintance that has been evolving in recent years. These two threats are classified as remote control tools (RAT) and are used by both criminals and operators associated with one of the numerous groups of advanced persistent threats (APTs). This malware is developed with the .NET framework and is used to spy on and steal information from compromised computers, since it has the ability to extract credentials from different software, obtain cookies from Internet browsers, record the keystrokes of the machine (Keylogging), as well as taking screenshots and the clipboard (clipboard).
This malicious code uses different methods to send the collected information to the attacker. In turn, it has been seen that this threat can be included within a packer with different layers of obfuscation. This is used to try to evade security solutions and hinder the malware investigation and analysis process. These packers can implement different techniques to obtain information from the machine on which it is running, to, for example, find out if it is a virtual machine or a sandbox machine, and if so, prevent its execution.
One of the peculiarities of Agent Tesla is that it has been offered for a long time as if it were just another commercial software, even offering subscription services and even having a web page from which to contract it and see its characteristics. This malware has also been involved even in targeted campaigns.
This threat is usually spread through phishing emails that include a malicious attachment with which they seek to trick the user who receives the email into downloading and executing this content. For example, Agent Tesla has been seen to be distributed through emails that impersonated well-known logistics service companies, and which included an attachment that appeared to be related to the shipment of a package, but was actually malicious content.
Agent Tesla has different features and functionalities that allow it to perform the malicious actions mentioned above. On the one hand, it has two classes (class) that contain variables and methods related to the configuration. Malware may vary a little in its behavior from these configuration classes, but it is mainly capable of carrying out the following actions:
▸Persistence in the victim’s machine
▸Uninstalling the threat
▸Determine the method of exfiltration of the collected information
▸Obtain the public IP of the victim’s machine
▸Obtain information about the victim machine (operating system, CPU, RAM, username, etc.)
▸Take screenshots of the victim’s machine
▸Run a keylogger
This is why security companies are always and we are so demanding about not trusting everything you see on the Internet such as: Emails, announcements, news, Links, etc. Because these can be intended for malicious purposes.
Other reads:
Phorpiex, an ancient threat that resurfaces again
Necro Python Bot with Problematic Features
