New delivery and evasion techniques have been adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. It also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server. Two versions of Agent Tesla — version 2 and version 3 — have been found currently in the wild. Agent Tesla’s constant evolution is designed to make a sandbox and static analysis more difficult. This is also meant to improve the success rate of the malware against sandbox defenses and malware scanners, and to provide more C2 options to their attacker customers.
Additional features have been incorporated over time that allow it to monitor and collect the victim’s keyboard input, take screenshots, and exfiltrate credentials belonging to a variety of software such as VPN clients, FTP and email clients, and web browsers.
Agent Tesla now attempts to modify code in AMSI in a bid to skip scans of malicious payloads fetched by the first-stage downloader, which then grabs obfuscated base64-encoded code from Pastebin (or Hastebin) that acts as the loader for the Agent Tesla malware.
Furthermore, to achieve persistence, the malware copies itself to a folder and sets that folder’s attributes to “Hidden” and “System” in order to conceal it from view in Windows Explorer. The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised.