Agent Tesla has been undergoing continuous improvements, and now, its operators have established a new benchmark. The newest variants of Agent Tesla are equipped with the ability to target a scan and analysis software designed to prevent malware infections from taking hold.
About the variants
According to Sophos researchers, Agent Tesla operators have been targeting the Microsoft Antimalware Scan Interface (AMSI) software to degrade its defenses and remove endpoint protection at the point of execution.
- The two new variants labeled as Tesla 2 (v2) and 3 (v3) include an increased number of applications on the hit-list, such as Opera, Chromium, Chrome, Firefox, OpenVPN, and Outlook for the theft of credentials and enhanced obfuscation.
- In addition, the new variants have availed options for operators to use the Tor client and Telegram's messaging API when connecting to C2 servers.
- The full deployment of the malware can enable an attacker to take screenshots, log keyboard input, steal data saved on clipboards, and grab credentials from apps, browsers, email clients, and others.
Agent Tesla thriving
Agent Tesla operators have been making steady progress with the malware, be it with its capabilities or the number of targeted victims.
- According to Sophos researchers, in December 2020, Agent Tesla payloads had accounted for approximately 20% of all malicious email attachments.
- In the same month, the malware got an update with expanded targeting and improved data exfiltration capabilities, including the ability to scoop up credentials for web browsers, emails, VPNs, and other services.
The emergence of new Agent Tesla versions appears to be focused on improving the success rate of the malware against malware defenses and scanners, and providing more C2 options to the operators. Such consistent updates and updated malware strains have helped it remain among the top malware families.