Agent Tesla: A Longtime Trojan Spy - TrendTIC

Santiago, June 17, 2022 – The government CSIRT (csirt.gob.cl) reported a RAT (or Remote Access Trojan) type malware, called Agent Tesla, primarily aimed at stealing information from its victims.

The remote access Trojan considers several layers of obfuscation, which makes it difficult to detect (for example, the malware can know if it is open in a sandbox and avoid its attack) and also deploys techniques to be a persistent threat, all characteristics that explain its great popularity, known since 2014.

This is how various campaigns have been identified that use this malware through its dissemination through e-mails, taking advantage of the current contingency, such as the invasion of Ukraine by Russia or previously through fake e-mails from DHL in Spanish.

Once deployed, Agent Tesla performs many spying operations on a computer:

  • Record what is typed (keylogging).
    • Take screenshots.
    • Go copy what’s in the clipboard.
    • It steals passwords and cookies from several programs, including:
      • Dozens of web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox and Opera.
      • VPNs like OpenVPN and NordVPN.
    • It collects information such as computer name, operating system, CPU, RAM, TCP hostname, DNS client, public IP address, domain etc.

After taking this information, the malware leaks it to the cybercriminal, a communication that remains anonymous using a TOR client. Likewise, it communicates with your command and control server. You can also communicate with the attacker via the SMTP messaging protocol, or even Telegram.

Another feature of Agent Tesla is its ability to join the registry as a startup program to establish its persistence, as the RAT starts every time the computer is restarted.

Its deployment is mainly through phishing emails, which bring attachments of all kinds, including the most traditional ones, such as compressed files, executables and Office documents. They can also be downloaded via torrent, fake web pages or malicious advertisements containing the Trojan.

Often the deception is, ironically, the offer of a security update or program. It is important to always download our updates from official sites of software providers.

To address this threat, the CSIRT government recommends the following actions:

  • Keep all your programs up to date, especially anti-virus, anti-malware, firewalls and other security software, while maintaining a regular patch schedule.
  • Reinforce all the protections we must have against phishing, mainly by never clicking on links in unsolicited emails, texts or social networks.
    • Check that the message is from the person who claims to be coming and if in doubt, call the sender directly to find out if the message is real.
    • Pay attention to the file extension. The last part is what determines what type of file it is. If it says .pdf .exe, for example, that means it’s an executable file.
    • You also don’t enter your credentials on a site opened from a link. It is best to directly open the desired page by typing its address in the browser.
  • Do not download suspicious files, such as pirated movies or games.
  • Disable macros in documents that arrive via email.

Avoid giving users administrator privileges and only access computers as an administrator for as long as necessary. Avoid opening documents when logged in as an administrator.


#Agent #Tesla #Longtime #Trojan #Spy #TrendTIC

Leave a Reply

Your email address will not be published.