Agent Tesla is dangerous, invasive, prolific, and easy to deploy. Accessible with a quick Google search and configurable with a user friendly web-based admin portal, this remote-access-trojan-as-a-service grants access to the lucrative world of cybercrime to the untechnical. Like any good commercial software, it tears down barriers to entry, allowing criminals to complete tasks once too tricky for the uninitiated to comprehend. Stay with me as we open the previously locked doors guarding the underbelly of this tool, with exclusive access to bad actors’ loot boxes provided to us by ‘industry’ heavy hitters.

At its black heart, Agent Tesla is a Remote Access Trojan (RAT) that has been in circulation since 2014 (back when Guardians of Peace were busy hacking Sony), though it was only discovered in 2018. One of the first to report on it was the late great Vitali Kremez, who stated, “Its ability to evade detection and adapt to changing circumstances makes it a significant threat to organizations and individuals alike,” I do not think it could have been better summarised. To its victims, Agent Tesla can do the following:

  • Keylogging: Agent Tesla can capture keystrokes made by the victim, which allows attackers to obtain login credentials, credit card details, and other sensitive information.
  • Clipboard monitoring: The malware can monitor the victim’s clipboard and capture any copied data, such as passwords or credit card numbers.
  • Screen capture: Agent Tesla can take screenshots of the victim’s screen, giving attackers a view of what the victim is doing on their system.
  • File stealing: The malware can search for and steal specific files from the victim’s system, including documents, images, and other data.
  • Webcam and microphone control: Agent Tesla can activate the victim’s webcam and microphone, allowing attackers to record audio and video from the victim’s environment.
  • Credential theft: The malware can steal login credentials from various programs and applications, including web browsers, email clients, and FTP clients.
  • Email harvesting: Agent Tesla can extract email addresses and contact information from the victim’s email client.
  • Self-update: The malware can automatically download and install updates, making it harder to detect and remove.

Agent Tesla is not only nimble in its adaption to avoid detection on the endpoint, but it has also adapted and modernised its command, control, and data exfiltration techniques. These changes are mainly around encrypting traffic.

Earlier versions of Agent Tesla used plain HTTP communications to transfer stolen data and receive commands from the attacker’s server, which made it easier for security researchers and network defenders to detect and block the malware’s activity. However, in recent versions, Agent Tesla has been updated with encryption capabilities, using Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to encrypt communication between the infected system and the attacker’s server.

By encrypting its communications, Agent Tesla makes it harder for security solutions to detect and block its activity since the encrypted traffic may appear as legitimate SSL/TLS traffic. It also helps to conceal the location and identity of the attacker’s server, making it harder for law enforcement agencies to track down and take down the infrastructure supporting the malware.

Reports show a shift in Agent Tesla’s data exfiltration methods from email to alternative channels such as Telegram and Discord.

Earlier versions of Agent Tesla were known to exfiltrate stolen data via email, a relatively straightforward method. However, this approach had some drawbacks, including the possibility of email interception or detection by email security solutions.

More recent versions of Agent Tesla have been observed using alternative channels such as Telegram and Discord to exfiltrate stolen data. These channels provide a more secure and encrypted communication channel than email, making it harder for security solutions to detect or intercept the exfiltrated data. They also offer greater flexibility and customization options, allowing attackers to tailor the exfiltration method to the target organisation’s security measures.

For example, Telegram allows users to create private channels or groups accessible only by invitation, making it a popular choice among cybercriminals looking to exfiltrate sensitive data. On the other hand, Discord is a chat application often used by gamers and has recently been targeted by cybercriminals as a platform for exchanging stolen data.

The shift towards alternative communication channels and encrypted communications is part of a broader trend among cybercriminals to adopt more secure and stealthy methods for exfiltrating stolen data and malware authors to improve the stealth and resilience of their tools against detection and analysis. It highlights the need for organizations to adopt a comprehensive and layered approach to cybersecurity, including robust email security measures, endpoint security, and network monitoring capabilities.

Though there is a shift towards encryption, there are several easily accessible examples of Agent Tesla that still use unencrypted traffic to authenticate with the stolen data store. Agent Tesla connects to a remote SMTP server using the victim’s internet connection when exfiltrating over email. It then uses a preconfigured set of SMTP credentials, such as an email address and password, to authenticate with the server and send the message.

To conclude this part, Agent Tesla is a dangerous and prolific remote-access-trojan evolving to become more stealthy and harder to detect. In this post, we have explored its capabilities and discussed its shift towards encrypted communications and alternative data exfiltration channels. However, this is only the first part of a two-part series. In the next post, we will dive into a technical deep dive and see screenshots from within a command and control server, providing a closer look at how this malware operates and how organisations can better protect themselves against it. Stay tuned for more insights into the dark world of cybercrime.