Agent Tesla Trojan ‘Kneecaps’ Microsoft’s Anti-Malware Interface

[mood]

Agent Tesla Trojan ‘Kneecaps’ Microsoft’s Anti-Malware Interface

 

 

A new version of the Agent Tesla RAT can ‘kneecap’ endpoint protection software supported by Microsoft ASMI.

 

Researchers have identified new versions of the Agent Tesla remote access trojan (RAT) that target the Windows anti-malware interface used by security vendors to protect PCs from attacks. The newly discovered variants have also adopted new obfuscation capabilities, raising the stakes for businesses to fend off the ever-evolving Agent Tesla malware.

 

Chief among the update is that the malware now targets Microsoft’s anti-malware software interface (ASMI) in order to avoid detection. ASMI allows applications and services to integrate with any antimalware product that’s present on a machine. The malware also now has the added capability of deploying a Tor client to conceal its communications, as well as using the Telegram chat application to exfiltrate data.

 

All of these changes make both sandbox and static analysis and endpoint detection of the malware more difficult, warned researchers.

“Agent Tesla remains a consistent threat—for many months, it has remained among the top families of malware in malicious attachments caught by Sophos,” said Sophos researchers on Tuesday. “Because of this sustained stream of Agent Tesla attacks, we believe that the malware will continue to be updated and modified by its developers to evade endpoint and email protection tools.”

 

Agent Tesla first came into the scene in 2014, specializing in keylogging (designed to record keystrokes made by a user in order to exfiltrate data like credentials and more) and data-stealing. Agent Tesla has historically arrived in a malicious spam email as an attachment.

 

The first stage of the malware’s newer version includes a .NET-based downloader. The downloader collects obfuscated code from websites like Pastebin and Hastebin (which touts itself as an “open source alternative to Pastebin”).  This is not a new tactic, with Agent Tesla previously turning to a legitimate Pastebin-like web service for downloading malware.

 

Credit: Sophos

 

Then, Agent Tesla’s installer attempts to overwrite code in Microsoft’s AMSI. First, the downloader attempts to get the memory address of AmsiScanBuffer (Microsoft’s function, also known as amsi.h, that scans a buffer-full of content for malware).

 

It does so by calling Windows’ amsi.dll, using the Windows LoadLibraryA function, to get the DLL’s base address. Then it uses the GetProcAddress function to retrieve the base address and the “AmsiScanBuffer” procedure name to get the address of the function.

 

Once Agent Tesla gets the address of AmsiScanBuffer, it patches the first 8 bytes of the function in memory. This forces AMSI to return an error (code 0x80070057), making all the AMSI scans of memory appear to be invalid, according to researchers.

“This kneecaps AMSI-enabled endpoint protection software, by essentially making them skip further AMSI scans for dynamically loaded assemblies within the Agent Tesla process,” said researchers. “Since this happens early in the first stage downloader’s execution, it renders any AMSI protection against the subsequent components of the downloader, the second-stage loader, and the Agent Tesla payload itself.”

 

The new version of Agent Tesla also has the added capabilities of deploying a Tor client. This free, open-source software enables anonymous communication – serving as a tool for Agent Tesla to conceal its communications, said researchers.

“If selected in the configuration file, the malware downloads and installs a Tor client from the official Tor site,” said researchers. If the Tor client is already present, it kills the process before installing the new one, and writes a torrc configuration file from encrypted strings hardcoded into the malware.”

New Features

Researchers said the functionality of these two new variants is widely the same, but now include updates to the data that is captured, and how it is exfiltrated.

 

In the new Agent Telsa version, the developers can now capture data from the Windows clipboard. The Windows clipboard is a storage area for items the have been cut or copied; this data could include anything from sensitive copied data from emails or documents, to passwords. This data is then sent back to the command-and-control (C2) server.

 

Another difference is that in the new version of Agent Tesla, the number of applications targeted for credential harvesting “has been expanded considerably.”

 

Agent Tesla previously targeted credentials from applications like Apple Safari, Chromium, Google Chrome, Iridium, Microsoft IE and Edge, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, Opera, Opera Mail, Qualcomm Eudora, Tencent QQBrowser and Yandex. The malware also now targets FTPNavigator ( Windows-based Internet application that facilitates FTP transfer), WinVNC4 (a remote desktop control allowing users to control computers remotely), WinSCP (which provides secure file transfer between a local and a remote computer) and SmartFTP ( network file transfer program for Microsoft).

“The credential-stealing function also includes code which launches a separate thread to exfiltrate browser cookies. While this code is present in all the samples of Agent Tesla from both v2 and v3, it isn’t always used,” said researchers.  “Also, this feature is not set from the configuration file—so, perhaps, it’s a premium feature attackers must buy from Agent Tesla’s developer.”

 

While Agent Tesla has previously communicated with the C2 server over HTTP, SMTP (simple mail transfer protocol) and FTP (file transfer protocol), the new version also uses Telegram to exfiltrate data, by sending the stolen data to a private Telegram chat room.

Agent Tesla: A Seven-Year Threat

While the Windows-targeting Agent Tesla remote access trojan (RAT) has been active for over seven years, researchers said that they have continued to see new variants of the malware in a growing number of attacks over the past 10 month, compared to the infamous TrickBot or Emotet malware, for instance.

 

In fact, in December 2020, Agent Tesla account for 20 percent of malware email attachments detected in researchers’ telemetry.

 

Moving forward, researchers said they believe Agent Tesla will continue to evolve.

“The differences between the two demonstrate how the RAT has evolved, employing multiple types of defense evasion and obfuscation to avoid detection,” they said.

 

 

Source: Agent Tesla Trojan ‘Kneecaps’ Microsoft’s Anti-Malware Interface

[aum]

Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques

 

 

Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims.

 

Typically spread through social engineering lures, the Windows spyware not only now targets Microsoft's Antimalware Scan Interface (AMSI) in an attempt to defeat endpoint protection software, it also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server.

 

Cybersecurity firm Sophos, which observed two versions of Agent Tesla — version 2 and version 3 — currently in the wild, said the changes are yet another sign of Agent Tesla's constant evolution designed to make a sandbox and static analysis more difficult.

 

"The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more C2 options to their attacker customers," Sophos researchers noted.

 

A .NET based keylogger and information stealer, Agent Tesla has been deployed in a number of attacks since late 2014, with additional features incorporated over time that allows it to monitor and collect the victim's keyboard input, take screenshots, and exfiltrate credentials belonging to a variety of software such as VPN clients, FTP and email clients, and web browsers.

 

 

Last May, during the height of the pandemic, a variant of the malware was found to spread via COVID-themed spam campaigns to steal Wi-Fi passwords alongside other information – such as Outlook email credentials – from target systems.

 

Then in August 2020, the second version of Agent Malware increased the number of applications targeted for credential theft to 55, the results of which were then transmitted to an attacker-controlled server via SMTP or FTP.

 

While the use of SMTP to send information to a mail server controlled by the attacker was spotted way back in 2018, one of the new versions identified by Sophos was also found to leverage Tor proxy for HTTP communications and messaging app Telegram's API to relay the information to a private chat room.

 

Besides this, Agent Tesla now attempts to modify code in AMSI in a bid to skip scans of malicious payloads fetched by the first-stage downloader, which then grabs obfuscated base64-encoded code from Pastebin (or Hastebin) that acts as the loader for the Agent Tesla malware.

 

AMSI is an interface standard that allows applications and services to be integrated with any existing antimalware product that's present on a Windows machine.

 

Furthermore, to achieve persistence, the malware copies itself to a folder and sets that folder's attributes to "Hidden" and "System" in order to conceal it from view in Windows Explorer, the researchers explained.

 

"The most widespread delivery method for Agent Tesla is malicious spam," Sophos threat researchers Sean Gallagher and Markel Picado said.

 

"The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised. Organizations and individuals should, as always, treat email attachments from unknown senders with caution, and verify attachments before opening them."

 

Source