The same distribution methods have prevailed, and recently discovered samples have been distributed using spam emails and malicious attachments. There has been a recent resurgence in Agent Tesla samples in the wild, despite it previously having been reported to be on the decline and no longer for sale. This protocol is often used because there is limited overhead required by the attacker, as the threat actor only needs a single compromised email account to accomplish their malicious activities:įigure 40: Utilization of the Tor proxy. This observed sample uses SMTP as its form of exfiltration. After we decoded it, we were able to observe it statically to understand its inner workings and capabilities, such as the SMTP form of exfiltration as seen in the image below (Figure 20).
#Free ftp client for blackberry code#
This can hide the malicious code and its true intentions when it is run in a malware sandbox. (Version 3 only)Īgent Tesla is heavily obfuscated to avoid initial static analysis steps. Upload data to a malicious controlled FTP server.Įxfiltrate data via maliciously setup Telegram chat rooms. Sends compromised data to web panel operated by malicious actors. Though the information-stealing capabilities operate in a similar manner across all forms of communication, the way data is exfiltrated can vary depending on both version of the malware and configuration of a specific sample:Ĭompromised email accounts are utilized to exfiltrate information to a mail server operated by malicious actors. Most Agent Tesla samples abuse SMTP as their desired communication method. It abuses the popular Instant Messenger (IM) Telegram to communicate with its Command and Control (C2) infrastructure. In Version 3 of the malware, Agent Tesla added an additional form of communication. The threat actor selects this configuration when building a new malicious sample. Communicationīoth Version 2 and Version 3 of Agent Tesla can be configured to communicate over HTTP, SMTP, and FTP. Once deployed on a victim’s device, the malware will initially fingerprint the device to confirm infection, sending this information back to its Command and Control (C2) before carrying out its large magnitude of malicious information stealing capabilities.įigure 19: Network capture of initial SMTP communication. This large degree of flexibility is another reason why the malware is still such a prevalent threat, even years after its initial release. This malware has been observed dropping from weaponized documents that contain a malicious payload that downloads Agent Tesla, or it may deploy itself via an executable email attachment. These lure attachments can differ greatly with the aim of generating a click by a potential victim and initiating its malicious payload. Email attachment is its most common deployment vector. Infection VectorĪgent Tesla can be dropped onto a victim’s machine in a wide array of ways.
This latter version also provides the option to use a Tor client to encrypt communications. Recent variants of Agent Tesla version 3 have been seen abusing the chat platform Telegram. In version 3, each encrypted string has its own function, which makes reverse engineering these static strings more difficult.īoth versions of the malware can communicate over HTTP, SMTP, and FTP. In version 2, a single function decrypts all the strings and allows them to be executed. Version 3 – Additional customization options, advances in obfuscation and further functionality.īoth variants have varying levels of obfuscation.Version 2 – First released version of the malware, with a focus on obfuscation and anti-analysis.Paying users would get a sophisticated graphical user interface and a dashboard for management of victim devices, providing ease-of-use for even the most novice of threat actors.Ĭurrently, there are two prominent variants of Agent Tesla still found in-the-wild:
This website offered cybercriminals and threat actors flexible pricing options and fixed term licenses to use the malware. Malware-as-a-ServiceĪgent Tesla was first available for purchase from an official website agentteslacom.
Due to its prevalence, ready availability, and highly sophisticated nature, Agent Tesla has a high impact rating.
0 kommentar(er)
