A long-running remote-access tool has been rejuvenated with up-to-date evasion and obfuscation tactics to sneak through modern gatekeepers.
Can a seven-year-old RAT (Remote Access Tool) still be harmful to networks today? New research says that you can still teach old rats new tricks.
The RAT in question—Agent Tesla—has been a widely used information stealer and known since 2014. Attackers generally distribute the malware through malicious spam emails as an attachment.
However, researchers have found that the latest variants contain new evasive techniques attackers to disable endpoint protection before delivering the malware and then installing and executing the payload.
Two versions of Tesla
According to Sophos, which published its research into Agent Tesla, the new techniques feature a multi-stage process where a .NET downloader grabs chunks of malware from legitimate third-party websites such as pastebin and hastebin—where they are hosted in plain sight—and then joining, decoding and decrypting the chunks to form the loader that carries the malicious payload.
At the same time, the malware attempts to alter code in Microsoft’s Anti-Malware Software Interface (AMSI)—a Windows feature that enables applications and services to integrate with installed security products—so that AMSI-enabled endpoint security protection does not work, and the payload can be downloaded, installed and run without being blocked.
Two versions of these more-intelligent RATs are currently circulating. Both feature recent updates including the number of applications targeted for credential theft (including web browsers, email clients, virtual private network clients) and other software that store usernames and passwords. The Agent Tesla variants also have the ability to capture keystrokes and record screenshots.
However, differences between the two versions demonstrate how attackers have recently evolved the RAT by employing multiple types of defense evasion and obfuscation to avoid detection. These include options to install and use the Tor anonymizing network client, as well as the Telegram messaging API for command-and-control communications and the targeting of Microsoft’s AMSI.
According to the firm’s senior security researcher, Sean Gallagher, Agent Tesla malware has been active for more than seven years, yet it remains one of the most common threats to Windows users. It has been among the top malware families distributed via email in 2020. In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners. A variety of attackers use the malware to steal user credentials and other information from targets through screenshots, keyboard logging and clipboard capture.
“The most widespread delivery method for Agent Tesla is malicious spam. Sophos believes that cybercriminals will continue to update the malware and modify it to evade endpoint and email protection tools. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised. Organizations and individuals should, as always, treat email attachments from unknown senders with caution, and verify all attachments before opening them,” Gallagher said.
Email security checklist
Readers are advised to have in a place an intelligent security solution that can screen, detect and block suspicious emails and their attachments before they reach users. Also, implement the recognized authentication standards to verify that emails are really what they claim to be.
Employees need to be constantly educated and reminded to spot the warning signs of suspicious emails and what to do if they encounter any.
To trap business email compromise emails, users should always double check that any important emails originated from the correct official address (and not some spoofed homograph URL) and also really from the person in question.
Finally, never open attachments or click on links in emails from unknown or unverified senders.