Malware is often on the lookout for newer ways to sneak and evade security. One such malware is Agent Tesla. It is an information stealer and Remote Access Trojan (RAT) active since 2014. It remained as one of the most widespread threats to Windows users. Cybercriminals often leverage Agent Tesla malware to steal user login credentials and other sensitive information from victims via screenshots, keyboard logging techniques, and clipboard capture.
Research published by cybersecurity firm Sophos details the latest evasion techniques of how the Agent Tesla operators disable endpoint protection before they install the malware and payloads.
Agent Tesla’s New Capabilities
Sophos stated that threat actors behind Agent Tesla are using a multi-stage process where a .NET downloader takes large chunks of malware from legitimate third-party websites like pastebin and hastebin. The attackers then join, decode, and decrypt the chunks to form the loader that carries the malicious payload.
In addition, the malware alters the code in Microsoft’s Anti-Malware Software Interface (AMSI) to disable endpoint security protection and install the malware without being blocked. AMSI service enables applications and services to integrate with installed security products.
Sean Gallagher, senior threat researcher at Sophos, said, “Agent Tesla malware has been among the top malware families distributed via email in 2020. In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners. The most widespread delivery method for Agent Tesla is malicious spam.”
Remediation Measures
- Install an intelligent, security solution that can screen, detect, and block suspicious emails and their attachments before they reach users.
- Implement the recognized authentication standards to verify emails as what they claim to be.
- Educate employees to spot the warning signs of suspicious emails and what to do if they encounter one.
- Advise users to double-check the emails that come from the address and the person they claim to be.
- Advise users to never open attachments or click on links in emails from unknown senders.
“Sophos believes that cybercriminals will continue to update the malware and modify it to evade endpoint and email protection tools. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised. Organizations and individuals should, as always, treat email attachments from unknown senders with caution, and verify all attachments before opening them,” Gallagher added.
