cyberpunk-sentinel

Unlocking the Secrets of Agent Tesla: A Closer Look at the Dangerous RAT (Part 1)

4 April 2023 /

Agent Tesla is dangerous, invasive, prolific, and easy to deploy. Accessible with a quick Google search and configurable with a user friendly web-based admin portal, this remote-access-trojan-as-a-service grants access to the lucrative world of cybercrime to the untechnical. Like any good commercial software, it tears down barriers to entry, allowing criminals to complete tasks once too tricky for the uninitiated to comprehend. Stay with me as we open the previously locked doors guarding the underbelly of this tool, with exclusive access to bad actors’ loot boxes provided to us by ‘industry’ heavy hitters.

At its black heart, Agent Tesla is a Remote Access Trojan (RAT) that has been in circulation since 2014 (back when Guardians of Peace were busy hacking Sony), though it was only discovered in 2018. One of the first to report on it was the late great Vitali Kremez, who stated, “Its ability to evade detection and adapt to changing circumstances makes it a significant threat to organizations and individuals alike,” I do not think it could have been better summarised. To its victims, Agent Tesla can do the following:

  • Keylogging: Agent Tesla can capture keystrokes made by the victim, which allows attackers to obtain login credentials, credit card details, and other sensitive information.
  • Clipboard monitoring: The malware can monitor the victim’s clipboard and capture any copied data, such as passwords or credit card numbers.
  • Screen capture: Agent Tesla can take screenshots of the victim’s screen, giving attackers a view of what the victim is doing on their system.
  • File stealing: The malware can search for and steal specific files from the victim’s system, including documents, images, and other data.
  • Webcam and microphone control: Agent Tesla can activate the victim’s webcam and microphone, allowing attackers to record audio and video from the victim’s environment.
  • Credential theft: The malware can steal login credentials from various programs and applications, including web browsers, email clients, and FTP clients.
  • Email harvesting: Agent Tesla can extract email addresses and contact information from the victim’s email client.
  • Self-update: The malware can automatically download and install updates, making it harder to detect and remove.

Agent Tesla is not only nimble in its adaption to avoid detection on the endpoint, but it has also adapted and modernised its command, control, and data exfiltration techniques. These changes are mainly around encrypting traffic.

Earlier versions of Agent Tesla used plain HTTP communications to transfer stolen data and receive commands from the attacker’s server, which made it easier for security researchers and network defenders to detect and block the malware’s activity. However, in recent versions, Agent Tesla has been updated with encryption capabilities, using Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to encrypt communication between the infected system and the attacker’s server.

By encrypting its communications, Agent Tesla makes it harder for security solutions to detect and block its activity since the encrypted traffic may appear as legitimate SSL/TLS traffic. It also helps to conceal the location and identity of the attacker’s server, making it harder for law enforcement agencies to track down and take down the infrastructure supporting the malware.

Reports show a shift in Agent Tesla’s data exfiltration methods from email to alternative channels such as Telegram and Discord.

Earlier versions of Agent Tesla were known to exfiltrate stolen data via email, a relatively straightforward method. However, this approach had some drawbacks, including the possibility of email interception or detection by email security solutions.

More recent versions of Agent Tesla have been observed using alternative channels such as Telegram and Discord to exfiltrate stolen data. These channels provide a more secure and encrypted communication channel than email, making it harder for security solutions to detect or intercept the exfiltrated data. They also offer greater flexibility and customization options, allowing attackers to tailor the exfiltration method to the target organisation’s security measures.

For example, Telegram allows users to create private channels or groups accessible only by invitation, making it a popular choice among cybercriminals looking to exfiltrate sensitive data. On the other hand, Discord is a chat application often used by gamers and has recently been targeted by cybercriminals as a platform for exchanging stolen data.

The shift towards alternative communication channels and encrypted communications is part of a broader trend among cybercriminals to adopt more secure and stealthy methods for exfiltrating stolen data and malware authors to improve the stealth and resilience of their tools against detection and analysis. It highlights the need for organizations to adopt a comprehensive and layered approach to cybersecurity, including robust email security measures, endpoint security, and network monitoring capabilities.

Though there is a shift towards encryption, there are several easily accessible examples of Agent Tesla that still use unencrypted traffic to authenticate with the stolen data store. Agent Tesla connects to a remote SMTP server using the victim’s internet connection when exfiltrating over email. It then uses a preconfigured set of SMTP credentials, such as an email address and password, to authenticate with the server and send the message.

To conclude this part, Agent Tesla is a dangerous and prolific remote-access-trojan evolving to become more stealthy and harder to detect. In this post, we have explored its capabilities and discussed its shift towards encrypted communications and alternative data exfiltration channels. However, this is only the first part of a two-part series. In the next post, we will dive into a technical deep dive and see screenshots from within a command and control server, providing a closer look at how this malware operates and how organisations can better protect themselves against it. Stay tuned for more insights into the dark world of cybercrime.

The Cyberwarfare Lessons from the Conflict between Ukraine and Russia: Protecting Critical Infrastructure and Personal Data in the Digital Age

2 April 2023 /

From consumer drones dropping makeshift grenades made with 3D-printed parts, to civilians signing up to be part of a global DDoS botnet – the conflict between Ukraine and Russia is proving to be anything but a repeat of wars we have seen throughout history. Though somewhat clear battlefronts are being drawn and typical two-sided conflict is occurring – a secondary digital battle is being fought constantly in cyberspace. When the conflict started, it became immediately apparent that the fronts in cyberspace were as opaque and vague as they come. If you manage IT systems in any way, this should concern you. Unless you live in a country that has remained neutral in this conflict (though not even Switzerland did that this time), you might already be in the crosshairs.

Getty Images

Though the statement “civilians signing up to be part of a global botnet” sounds unreal and requires a mental double-take – that is precisely what happened in the conflict’s early months. As a reaction to Russia’s naval bombardment of ‘Snake Island’ and the response given to the Russians by Ukrainian soldiers, “russianwarshipgof***yourself[dot]club” was born. This website uses the computer of anyone visiting the site to send requests to an extensive list of Russian state-owned websites to DDos them. This new self-sign-up botnet proved incredibly effective in the short term, bringing down multiple sites, including “en.kremlin.ru” and “government.ru.”

Actions like this may have brought down some government sites on both sides, but they certainly fanned the flame of what can only be called cyber warfare. On 9 May 2022, 5EYES released a joint cybersecurity advisory (Alert Code:AA22-110A), alerting organisations to Russian state-sponsored and criminal cyber threats to critical infrastructure. Organisations in Australia were warned they “should urgently adopt an enhanced cyber security posture” in response.

These were not idle warnings; Microsoft determined that 237 attacks from Russia or Russian-backed actors had occurred between 2 February 2022 and 8 April 2022. This included 38 attacks that irreversibly destroyed files in hundreds of systems in dozens of Ukrainian organisations.

The prominent malware families utilised in these assaults include WhisperGate, HermeticWiper (also known as FoxBlade or KillDisk), HermeticRansom (SonicVote), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.

WhisperGate, HermeticWiper, IssacWiper, and CaddyWiper have all been designed to erase data and render machines unbootable, while DoubleZero can delete large-scale data. DesertBlade was found infecting the systems of broadcasting companies in Ukraine, continuing the Russian historical tradition of deactivating, or destroying public media. SonicVote is used as a cover-up for intrusions by disguising them as ransomware attacks. Industroyer2 is a significant threat to operational technology networks and industrial production processes.

For Australians, this seemed too far away to care. That was until they had one of the most noted cyber-attacks in Australia’s history—the Medibank insurance hack. The Australian public has repeatedly heard that some obscure company has lost records to a cyber-attack and thought little about it. That was brought into context when the Australian government asserted that Russian-backed attackers were releasing the personal medical information of over 10 million citizens, including HIV results and rehab bookings.

The conflict between Ukraine and Russia has demonstrated the real-world impact of cyberwarfare on critical infrastructure and individuals’ private information. The attacks on organisations and infrastructure have been persistent and devastating, with new and old malware causing significant widespread damage. The global community must take cybersecurity seriously and adopt an enhanced posture to protect against state-sponsored and criminal cyber threats. As cyberwarfare evolves, individuals and organisations must remain vigilant and proactive in protecting their networks and data.

Hello world!

2 April 2023 /

Welcome to the blog – Simple hello to let you know that good works are in the pipe. Thanks for stopping in!

<?php
echo "Hello, world!";
?>