Security News > 2021 > February > Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques
Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan to get around defense barriers and monitor its victims.
Cybersecurity firm Sophos, which observed two versions of Agent Tesla - version 2 and version 3 - currently in the wild, said the changes are yet another sign of Agent Tesla's constant evolution designed to make a sandbox and static analysis more difficult.
"The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more C2 options to their attacker customers," Sophos researchers noted.
Then in August 2020, the second version of Agent Malware increased the number of applications targeted for credential theft to 55, the results of which were then transmitted to an attacker-controlled server via SMTP or FTP. While the use of SMTP to send information to a mail server controlled by the attacker was spotted way back in 2018, one of the new versions identified by Sophos was also found to leverage Tor proxy for HTTP communications and messaging app Telegram's API to relay the information to a private chat room.
Beside this, Agent Tesla's multi-stage malware installation process has received a significant upgrade, with the first-stage malware downloader now attempting to modify code in AMSI in a bid to skip scans of second-stage malicious payloads fetched from Pastebin.
"The most widespread delivery method for Agent Tesla is malicious spam," Sophos threat researchers Sean Gallagher and Markel Picado said.