Origin: 2014

Aliases: Tesla Agent, ATesla, TeslaKey, OriginLogger

Targeted Sectors: Financial Services, Healthcare, Manufacturing, Retail, Information Technology, Automotive, Travel,

Targeted Countries: United States, United Kingdom, Germany, India, Australia, Italy, Spain, Canada

Motivation: Financial Gain, Espionage

Common Infection Vectors: Malicious attachments, Phishing, Exploit kits, Steganography, Living-off-the-Land

Introduction

Agent Tesla is a .NET-based RAT, with keylogging and data stealing capabilities, first detected in 2014. Though it initially gained popularity by providing initial access to adversaries, it gained prominence in 2016 as a prevalent information-stealing malware, facilitating cyber espionage and data theft activities. Fast forward six years, in a 2022 Cybersecurity Report, Agent Tesla ranked the 6th most prevalent malware variant in 2021, attacking an estimated 4.1% of corporate networks. Then, it was also the second most common info-stealer malware variant globally, only behind Formbook.

Using Agent Tesla, malicious actors have been conducting espionage to steal intellectual property and perpetrate financial fraud on a global scale. Most recently, it was seen carrying out major operations against private organizations and government agencies in the U.S. and Australia.

History and Evolution

Originally advertised on a Turkish website as a RAT for personal computer monitoring, Agent Tesla boasted capabilities to compile passwords, monitor keystrokes, and elude detection by endpoint antivirus software. Its website (now defunct) introduced a tiered customer support system in 2016. The site also provided web panels to access data from infected endpoints. However, legal issues and Cloudflare's ban on their IP addresses ceased the Web Panel service in September 2016. Consequently, customers began hosting their own Web Panels.

As cybercriminals started conducting COVID-19-themed phishing attacks, the RAT experienced a significant increase in usage throughout the second half of 2020, as well as in the first half of 2021. Office documents containing macros and malicious .rtf files leveraging CVE-2017-11882 were utilized as vectors to deploy and activate the keylogger.

Over the years, Agent Tesla underwent several iterations, with each version introducing new features and enhancements to evade detection and improve effectiveness. With that said, let’s find out how Agent Tesla operates in the wild and continues to be a persistent threat.

Technical Analysis

Agent Tesla, offered as Malware-as-a-Service (MaaS), operates with multifaceted Tactics, Techniques, and Procedures (TTPs), posing a substantial threat to victims. As first-stage malware, it provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware.

Stage one: Initial infection and unpacking

Agent Tesla infiltrates systems through various vectors, including malicious email attachments, phishing campaigns, and exploit kits. Once activated, the malware employs various advanced techniques to compromise victim systems and exfiltrate sensitive information.

Agent Tesla's infection process begins with a packed PE file or a .NET executable. Initially, the malware decodes a substantial chunk of data before progressing to the second stage. This often involves replacing specific characters to construct an array, which is executed in the next stage. The initial executable is heavily obfuscated, with method names and strings concealed, making static analysis challenging.

Stage two: Evasion and information gathering

Once the second stage is initiated, the RAT performs checks to determine if it is running in a debugger to avoid detection by security analysts. If deemed safe, it gathers detailed information about the infected system, such as the MAC address, processor information, and motherboard serial number, which is then sent back to the attacker.

The second stage relies heavily on a large encoded byte array, decoding required commands and data on the fly to avoid detection. For instance, it decodes FTP commands from this array to upload stolen data to remote servers.

Multi-layered obfuscation and decryption techniques

Agent Tesla frequently updates its evasion techniques, adapting to evolving security measures and enhancing its stealth capabilities. To evade detection, the RAT utilizes methods such as packing, obfuscation, memory permission modifications, and AMSI bypass. Coming to

obfuscation techniques, it practices code encryption, polymorphism, and anti-analysis techniques.

• The first stage DLL, a .NET compiled module, uses techniques like character replacement (e.g., “@” for “000”) to evade signature-based detection. It also utilizes steganography, embedding PE files within images to extract the second stage DLL.

• The second stage involves further decryption routines, often using XOR operations with various keys, to unveil the final payload. This payload is heavily obfuscated to hinder analysis, with UTF-8 encoded function names adding another layer of complexity.

Agent Tesla has enhanced its capability to bypass sandbox technologies, evolving from solely utilizing SMTP for communication to facilitating communication through HTTP, FTP, and Telegram.

Another stealthy technique of the RAT involves randomizing strings in its source code so the payload’s signature cannot be easily compared to previous versions.

Payload delivery and execution

Upon decryption, the final payload is loaded into memory and executed. This stage includes code injection techniques like process hollowing, where the malware injects its code into legitimate processes to hide its presence and execute malicious activities.

Data collection and exfiltration

Agent Tesla’s primary objectives include keylogging, and stealing financial information, clipboard data, and browser credentials. It can steal credentials from over 55 applications including web browsers, VPN applications, FTP applications, and mail clients. Credentials stolen from web browsers are further used to compromise user accounts and extract other more sensitive information.

• System Information : Computer name, TCP hostname, DNS client, and domain details.

• Browser Data : Checks for browser directories, collects files and folders, and extracts login data, cookies, and profiles.

• Keylogging : Captures keystrokes, clipboard data, and takes screenshots.

• Credentials : Steals FTP credentials, VPN configurations, and email passwords by inspecting specific directories and registry entries.

Once the malware has retrieved all available credentials and other assorted data from a victim’s machine, it sends this information over email/SMTP protocol using a hardcoded port 587. The stolen data is encrypted before being sent to the command and control (C2) server, ensuring secure communication. Agent Tesla operators often use the TOR network to anonymize their connections.

Exploiting legitimate services and persistence

Agent Tesla leverages legitimate services and techniques to remain undetected and persist on infected systems:

Open Redirects : Utilizes legitimate websites' vulnerabilities to redirect users to malicious sites.

Living-off-the-Land : Employs native system tools like Windows BITS for downloading malicious files.

Resource Exploitation : Embeds malicious resources within seemingly benign files to execute payloads covertly.

Major Cyberattacks Involving Agent Tesla

Agent Tesla has been extensively used by a myriad of cybercriminal groups to target various sectors, including finance, retail, travel, energy, and healthcare. Costs of its attacks vary widely, encompassing financial losses, reputational damage, and regulatory fines. Listed below are some of its well-known campaigns.

• Global credential theft campaign (2020): Agent Tesla was used to steal thousands of credentials from various industries, including manufacturing, logistics, and retail, through phishing emails containing malicious attachments.

• COVID-19 themed phishing campaign (2020): Attackers exploited the pandemic by sending phishing emails with COVID-19-related information to steal the personal and financial information of thousands of individuals.

• Energy sector attack (2021): Agent Tesla targeted companies in the energy sector, exploiting vulnerabilities in outdated software to deploy the malware and extract sensitive operational data.

• Mass email/ spam campaign (2022): Mass malicious email campaigns mimicked real companies' communication styles, deploying Agent Tesla malware to steal sensitive data.

• Travel industry attack (2024): An attack campaign was observed utilizing poisoned PDF files disguised as hotel reservation inquiries from Booking[.]com to propagate the Agent Tesla RAT.

• Financial Services (2024): Financial institutions were hit by Agent Tesla through spear-phishing campaigns, resulting in the theft of banking credentials and financial data from the institutions and their clients.

• Australia and U.S. organizations: Australian and American organizations were found being targeted by Agent Tesla RAT to infiltrate sensitive information from targeted systems. Threat actors Bignosa and Gods (of African origin) were involved.

Prevention and Mitigation

Agent Tesla's operational sophistication and widespread distribution underscore its status as a significant cybersecurity threat that needs to be curbed. Organizations are recommended to maintain updated endpoint security solutions, provide continuous security training to employees, and use strong password policies. Implementing a reliable spam filter and conducting regular network audits can help prevent and detect Agent Tesla infections.

More importantly, the rapidly evolving malware threat landscape necessitates real-time detection and response. To defend systems against malware threats like Agent Tesla, Cyware offers a robust suite of threat intelligence and automated response platforms designed to provide comprehensive protection through advanced threat analysis and collaborative defense mechanisms. Cyware’s platforms, such as Intel Exchange and Respond, provide real-time threat intelligence and automated incident response. By continuously ingesting and analyzing threat data, they ensure timely detection and mitigation of malware, reducing response times and proactively mitigating any damage caused by the threat actor.

Conclusion

Agent Tesla is a prevalent malware that orchestrates spear-phishing campaigns to pilfer sensitive data like credentials and financial information. Mitigation strategies include updated security tools, staff training, and robust network defenses. Proactive measures such as threat hunting and incident response planning are crucial for maintaining a strong security posture against the adaptive nature of Agent Tesla and similar threats in the cyber landscape. Cyware’s platforms have proven to defend effectively against such malware threats.

Indicator Of Compromises (IOCs)

MD5

2BD452C46A861E59AC151A749047863F

63F802E47B78EC3D52FE6B403BAD823F

38D6EBB40197248BC9149ADEEC8BD0E7

3637AA1332B312FE77CC40B3F7ADB8DC

37B38AE2D99DD5BEB08377D6CBD1BCCD

B69F65B999DB695B27910689B7ED5CF0

SHA256

801352E073B5E718021995A07E3506FD05B12EE410B69F242C1B9DD2917C30AC

CA5C1FEFE9B9347B995DC040B7E50B867BE70729041AFFFD475CE7856F394F5B

A280B75F6227E4F3268EADDF806649B9A34FCB0055E8986123560484A315BDC1

164D54F565CB9285F383BD2BF702123D8DB4F32262BAC2AB6324AD1975920CB2

A03F61DF8C3751262C68A16B3B7A39D2523BD78B7C719C31DE119C134A341575

2690454B3DA7857C0CE0FE030D9C4416564D0F5330BFFCD99CD6F605DEB5D9DC

BBA7C77C8215B39DA031E76F3783C38D54B863750BA0794AC63477C50606061B

7317CE7A3EF968E23D55FC137F133F26864A6EFC47DC1F10896AB6C4CF67ADA2

BEF157A5652DA00C4E51F79E8A96BD0017216DDEC319309074338C2DCF3DCA8A

45FC740A9D1B16E302C7FEE80F5E51F450CFC82F80AD8B134FCC409200BE7AA0

42D4821835C8D06DEC695B9D34F4418097281376FDCB37D85193E89B89AB0DD2

1BEAD1D425196AA29D74A07FCA9519DB1E42242AD63E7A157979B83EE1722980

BA265838ADD6A233D8C2D1FBE1BA1869D2E528A6790B24259C56A199A2F038CC

D8237144BDF583BD62C89733EB04397C906D68F072AB35D379917482A7178782

4684B8747BBFBA6860CF67F473B418CC2B149AEF01AF36CB468D5CC308B689B1

9BB7089ACAE83DAFA7D2B4ACAE2384CEC384BC2AAB6962E514122AC69C6A5FED

6C006E3C02417E43C43C66BF5E986A64B2BDCED8CF62912E5D6E1DE16ED90452

41BA24841B5058D02D56F6E4BD187BD7C9F6ECE97F38C682A27BFC26748E4C5F

31C199D5367F91B9DB1140CF3718A91C569E124D20B5A7121C877D9D19D64075

3505C5CF2F2D5BEA30D13FDA169160E1984EEC6ECC05068C30B6581BCF0FCBF1

7F7323EF90321761D5D058A3DA7F2FB622823993A221A8653A170FE8735F6A45

C0EE1071E444F415F8B62856A0896F3B22E563F1BB4F03D14142583EFE49A565

AD9A0F051FBA2363ABEAB5B9A9D169572DB48256307E826751C6A3140C60EEF1

148043D39C826025B65A0405E34ACB08BB7E44A0566C13B4030412B734076438

3A1FE17D53A198F64051A449C388F54002E57995B529635758248DC4DA7F5080

A3645F81079B19FF60386CB244696EA56F5418AE556FBA4FD0AFE77CFCB29211

AB9CD59D789E6C7841B9D28689743E700D492B5FAE1606F184889CC7E6ACADCC

A02388B5C352F13334F30244E9EEDAC3384BC2BF475D8BC667B0CE497769CC6A

E3CB3A5608F9A8BAF9C1DA86324474739D6C33F8369CC3BB2FD8C79E919089C4

F74E1A37A218DC6FCFABEB1435537F709D742505505A11E4757FC7417E5EB962

BA90EF60026941CEB864030807A630B6DA91B665BF51EBAFFD200ADA5A4864AE

FC6E93537CCF54A7180D497D2ABE10BCAD6213AE8B2FC21983F8558E58030E4E

FCEA048C985F1994D10D25DAD5F5D6EA08FBBE03DE247556B222DCF84E07A4DA

Domains

mail[.]greenimpressionbd[.]com

mail[.]azmaplast[.]com

mail[.]mail[.]ee

smtp[.]godforeu[.]com

mail[.]tathirchimie[.]com

mail[.]farsdiesel[.]ir

mail[.]activefreightpak[.]com

gator3220[.]hostgator[.]com

zaidarabia[.]com

mail[.]unitechautomations[.]com

smtp[.]towradpi[.]com

mail[.]cojosem[.]com

terminal4[.]veeblehosting[.]com

mail[.]kawajun[.]com[.]my

mail[.]bezelety[.]top

mail[.]innomedjsc[.]com

mail[.]jmfresh[.]sg

mail[.]parivartansandeshfoundation[.]com

cp8nl[.]hyperhost[.]ua

premium162[.]web-hosting[.]com

www[.]abctech[.]life

www[.]solarpowerengage[.]life

URLs

ftp://ftp[.]svetigeorgije[.]co[.]rs/

ftp://ftp[.]corpsa[.]net/

ftp://ftp[.]acc-engineering[.]xyz/

ftp://ftp[.]lemendoza[.]com/

https://api[.]telegram[.]org/bot6282444605:AAF3ljrvcPGjf3okB7t0o_QzQ88OoHOJ7gw/

https://api[.]telegram[.]org/bot6236057808:AAEPjUfD2i1Z2Y6D-v4tJe2o-ZsIOYXQJ0Q/

https://api[.]telegram[.]org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/sendDocument

https://api[.]telegram[.]org/bot5843567515:AAEdtJWwcJKNn64U81CKVdG-li_Ejds8raM/

http://www[.]texlandbd[.]com/vvs/inc/c874c1a5333207.php

http://originwealth[.]ydns[.]eu/sew/inc/10a5031d37bc79.php

http://pushkinorigin[.]ydns[.]eu/wiz/inc/1d7c50187af637.php

https://api[.]telegram[.]org/bot5268976687:AAFVn0p7E2gEOnhpsNJOFeUNsuaE1sW24jE/

https://api[.]telegram[.]org/bot6568247464:AAHsSOES5pRueRqAlbG1bx5hx02y4of2d_Q/

ftp://ftp[.]onelovehk[.]com[.]ng/

https://www[.]ronaldsmith[.]loan//inc/4e7ada8f7b87bc.php

https://api[.]telegram[.]org/bot5304537825:AAFt7BhY9MUlq_s5TsQbIJu1GotM2jL0xGU/

https://fiores[.]cl/mail/obrah/inc/dea039b70b5e63.php

https://www[.]glamourstorepa[.]com[.]br/sus2/inc/f858786f876bb9.php

https://www[.]glamourstorepa[.]com[.]br/mail/inc/39dc6fa01a6534.php

ftp://ftp[.]mgcpakistan[.]com/

IP addresses

66[.]29[.]151[.]236

198[.]23[.]221[.]13

76[.]74[.]235[.]200

92[.]38[.]178[.]11

192[.]168[.]1[.]1

203[.]0[.]113[.]42

69[.]57[.]161[.]215

105[.]160[.]122[.]192

105[.]161[.]75[.]138

105[.]161[.]81[.]79

197[.]237[.]92[.]228

41[.]90[.]176[.]165

41[.]90[.]177[.]10

41[.]90[.]179[.]140

41[.]90[.]180[.]123

41[.]90[.]180[.]219

41[.]90[.]181[.]104

41[.]90[.]185[.]44

41[.]90[.]186[.]173

41[.]90[.]186[.]247

41[.]90[.]186[.]248

41[.]90[.]188[.]113

41[.]90[.]189[.]214

91[.]215[.]152[.]7

147[.]189[.]161[.]184

149[.]0[.]216[.]243

149[.]0[.]91[.]214

176[.]218[.]220[.]145

192[.]223[.]25[.]77

192[.]223[.]25[.]85

212[.]133[.]214[.]104

31[.]155[.]119[.]217

46[.]2[.]179[.]191

46[.]2[.]181[.]103

46[.]2[.]254[.]164

46[.]2[.]35[.]156

79[.]110[.]48[.]6

84[.]38[.]130[.]226

91[.]92[.]244[.]255

SMTP Exfiltration

Sender email: merve@temikan[.]com[.]tr

Receiver email: frevillon[.]acsitec@proton[.]me

Download URLs

hxxps[://]artemis-rat[.]com/get/65f0e7dd5b705f429be16c65

hxxps[://]artemis-rat[.]com/get/65eb0afe3a680a9851f23712

Proxy Servers

hxxps[://]github[.]com/TheSpeedX/PROXY-List/blob/master/hxxp[.]txt

User-Agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, killer Gecko) Chrome/58.0.3029.110 Safari/537.3

Email Addresses

attacker@example[.]com

another-attacker@example[.]net