Across the cyber industry one notion rings truer than most: Threat actors are getting smarter, and we need to do something about it. The goal is to build a world in which cyber security analysts can be confidently proactive, instead of reacting to emerging threats. This very issue is the same reason why both threat intelligence and automation have been top of mind for cyber security leaders since intrusion detection systems (IDS) came to life. However, the birth of IDS technology was a mere hurdle for more savvy threat actors. They found ways to layer, obfuscate, and live off native computer processes, all in order to defeat and evade the myriad of security tools we depend on today. Agent Tesla happens to be one of these sophisticated tools. Being marketed and sold on its own website, the malware has been made widely available to individuals of all technical skill or lack thereof.
A look back: How Agent Tesla has risen in popularity
It’s no surprise why Agent Tesla has grown so popular in the eyes of threat actors. The ease of use setting up the malware is as simple as checking off boxes on a GUI (graphical user interface). The “official” purchase website has a full tech support team to help you with any and all utilization questions. All marketing of the malware claims that it is a keylogger meant for personal usage only. The malware’s creator (who is thought to be a young man from Antalya, Turkey named Mustafa can Ozaydin) publicly states that the Agent Tesla software should only be used to monitor the buyer’s personal computer. However, both the purchase website and customer service platform have been sighted providing instructions on how to best exploit vulnerabilities and avoid antivirus software.
Agent Tesla is purchased on a monthly subscription format, with four different tiered configurations: Bronze, Silver, Gold, Platinum, each providing different levels of capabilities and customer service. Upon subscribing, users gain access to a dashboard and, with a few clicks, customize what information the malware targets and how the data is exfiltrated.
It is worth noting that after Krebs on Security published an article on Agent Tesla in 2018, the sellers of the malware appear to have either grown flustered or scared, and updated their site stating they “would be suspending sales of the product for a while and banning users found to use Agent Tesla ‘inappropriately.’” As this statement was made within October 2018, It appears that Agent Tesla is back to its old ways. Beginning on June 10th, 2019, Agent Tesla has consistently ranked as one of the top 3 trending malware. However, it has recently been ranking consistently at the number one spot. From what we know about the malware, we can infer that this is due to its usage within COVID-19 phishing campaigns. The nature of the malware makes it perfect for opportunistic threat actors looking to take advantage of panicking business within the healthcare, government, and finance sectors.
A closer look at Agent Tesla
In order to defend your enterprise from this ongoing threat, knowledge is one of your best lines of defense. Recent research has identified Agent Tesla being delivered within email attachments by the names of “COVID 19 NEW ORDER FACE MASKS.doc.rtf”, “COVID-19 Supplier Notice.zip” or something along those lines. When a user clicks to download the file, the malware can execute within the impacted device without additional user interaction. Specifically, Agent Tesla is a remote access trojan (RAT) written in .Net. If an attacker is able to fully deliver this RAT onto your device, they will have achieved full computer and network access. The tool specializes in stealing credentials, sensitive information, and keystrokes.
Even more worrisome, it possesses form-grabbing capabilities, allowing it to avoid HTTPS encryption. Form-grabbing lets Agent Tesla pull information directly from a web form before it is passed through the internet. This capability also can snag inputs from virtual keyboards, autofill, and copy or paste if configured to do so. Recent Agent Tesla campaigns have exploited Microsoft Office vulnerabilities residing within Microsoft Office’s inability to properly handle objects in memory securely. Analyzing the capabilities of Agent Tesla, it is clear why we are seeing this impact the healthcare, government, and finance sectors.
The attack sequence looks like the following:
A victim receives a phishing email with a title that entices the user to open the message. Within the message, an attachment resides by the name of “COVID 19 NEW ORDER FACE MASKS.doc.rtf”. The naming scheme suggests that it is just a Microsoft Office document, but it is actually an RTF file that exploits CVE-2017-11882, which is a stack-based buffer overflow vulnerability present in the Microsoft Equation editor tool. This vulnerability allows the attacker to run arbitrary code and after successful exploitation, deliver the Agent Tesla payload. This dropped payload performs code injection, impacting a known windows process by the name of RegAsm.exe. The injected code in RegAsm.exe performs all info-stealing activity and sends it to the command and control server.
How to protect your enterprise from Agent Tesla
These opportunistic threat actors do not appear to be on the verge of slowing down or stopping any time soon. The current social climate is too vulnerable of an environment for attackers to not make attempts at compromising key enterprises. Due to the nature of this threat, the following mitigation procedures should be quickly implemented:
- Patch CVE 2017-1182 and CVE 2017-8570.
- Train users to recognize and avoid the phishing techniques likely to spread Agent Tesla.
- Train users to identify files with double extensions i.e. “.doc.rtf”.
- Implement role-based access control to prevent the compromise of a single admin or privileged user’s device from being able to spread and infect more critical systems.
In addition, having the ability to quickly detect, investigate, mitigate, and report on risk are essential security actions to protect your organization from these types of threats. As attacks like Agent Tesla are growing continually more complex, it is essential to ensure your enterprises security devices are working at maximum efficiency. We can see by looking at Agent Tesla there are multiple key opportunities for security teams to catch and prevent malware. Tools such as email security, windows security, antivirus, firewalls, and IDS/IPS can help identify a potential compromise; however, these tools possess limited native integration and correlation capabilities. A scattered security architecture creates limited visibility, which leads to the type of blind spots hackers love to exploit.
Eliminate blind spots and increase visibility into threats with ReliaQuest GreyMatter
ReliaQuest GreyMatter integrates and normalizes data from disparate technologies including SIEM, EDR, multi-cloud, and point tools, on demand, so you always have a unified view to immediately and comprehensively detect and respond to threats from across your environment all within the GreyMatter UI.
Get the most of your threat intelligence for higher fidelity detection and response. Read the white paper for more information!