Remote Access Trojans are surging in recent years and have become more common than even some of the world’s most common malware strains. In particular, since the COVID-19 outbreak, the Agent Tesla remote-access trojan (RAT) has successfully exploited pandemic fears and added several new features. Agent Tesla first arrived on the scene nine years ago and was featured in more attacks in the first half of 2020 than the very popular malware threats TrickBot or Emotet, particularly against businesses.
Agent Tesla specializes in keylogging and data-stealing. It’s new binaries offer more robust spreading and injection methods and are capable of stealing wireless network details and credentials. Agent Tesla can also harvest configuration data and credentials from several common VPN clients, FTP and email clients and web browsers, including Apple Safari, Google Chrome, Edge, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, Opera Mail and many others.
Another new feature of this older Remote Access Trojan is that variants can now fetch secondary executables to install onto a victim’s machine and subsequently inject code into those second-stage binaries as an evasion-detection method.
In one campaign, researchers observed Agent Tesla dropping a copy of RegAsm.exe and injecting additional code into it; therefore, RegAsm.exe handled the main jobs of data-harvesting and exfiltration. The injection is performed via process hollowing, in which sections of system memory are unmapped with that space then being reallocated with malicious code.
Other improvements have been observed in the malware’s execution behavior. After the code is launched, the malware collects local system information, installs a keylogger and then initializes routines to discover and harvest data. During this process, the malware scans for wireless network settings and credentials.
Although Agent Tesla has been around for several years now, attackers are continually developing new ways to utilize it while maintaining anonymity and avoiding detection.