Agent Tesla | Old RAT Uses New Tricks to Stay on Top

As other researchers have recently noted, the Agent Tesla RAT (Remote Access Trojan) has become one of the most prevalent malware families threatening enterprises in the first half of 2020, being seen in more attacks than even TrickBot or Emotet and only slightly fewer than Dridex. Although the Agent Tesla RAT has been around for at least 6 years, it continues to adapt and evolve, defeating many organizations’ security efforts. During the COVID-19 pandemic new variants have been introduced with added functionality, and the malware has been widely used in Coronavirus-themed phishing campaigns.

Agent Tesla | Background & Overview

Agent Tesla is, at its core, a keylogger and information stealer. First discovered in late 2014, there has been steady growth in the use of Agent Tesla over the last 1-2 years. The malware was initially sold in various underground forums and marketplaces, as well as it’s very own site (now defunct)  Agent Tesla, like many of its contemporaries, offered both the malware itself as well a management panel for administration and data collection and management. Information harvested from infected devices quickly becomes available for the attacker via the panel interface.

When originally launched, various ‘packages’ were available for purchase. Each package was basically differentiated by the license duration and build/update access. At the time, pricing was quite competitive with a 1 month license selling for $12.00 USD all the way up to 6 month licenses going for $35.00. It is also worth noting that, like many other tools of this nature, cracked and leaked versions of Agent Tesla were quick to appear.

Early versions of Agent Tesla also touted the full suite of features as one would expect to find in a modern RAT, including:

  • Multi Language Support
  • PHP Web Panel
  • Automatic Activation upon payment (for direct customers)
  • 24/7 support
  • Stable and Fast execution
  • Multiple delivery methods for keystroke logs, screenshots, and clipboard pulls
  • Support for multiple Windows versions (XP upward)

Delivery Mechanism

Like many other threats, the primary delivery mechanism for Agent Tesla is email (phishing messages). Attackers are often timely with their social engineering lures, and the current pandemic is not off limits to the attackers. In the last few months, attackers have been observed spreading Agent Tesla via COVID-themed messages, often masquerading as information information or updates from the WHO (World Health Organization)

Actors behind Agent Tesla campaigns have also used malicious Office documents to facilitate first-stage delivery. Specially-crafted documents, exploiting Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570, have been leveraged, even in present day campaigns.  These and similar exploits allow for quick delivery and execution with minimal user interaction (beyond opening the malicious documents and allowing active content to proceed)

Feature Set of New Agent Tesla Variants

Over time, additional features have been added to Agent Tesla. These improvements include more robust spreading and injection methods as well as discovery and theft of wireless network details and credentials.

Currently, Agent Tesla continues to be utilized in various stages of attacks. Its capability to persistently manage and manipulate victims’ devices is still attractive to low-level criminals. Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and Email clients, and Web Browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files. Our analysis of a swatch of current Agent Tesla samples reveals the following list of targeted software:

  • 360 Browser
  • Apple Safari
  • Becky! Internet Mail
  • BlackHawk
  • Brave
  • CentBrowser
  • CFTP
  • Chedot
  • Chromium (general)
  • Citrio
  • Claws Mail
  • Coccoc
  • Comodo Dragon
  • CoolNovo
  • CoreFTP
  • CyberFox
  • Elements
  • Epic Privacy
  • FileZilla
  • FlashFXP
  • Flock
  • Google Chrome
  • IceCat
  • IceDragon
  • IncrediMail
  • Iridium
  • KMeleon
  • Kometa
  • Liebao
  • Microsoft IE & Edge
  • Microsoft Outlook
  • Mozilla Firefox
  • Mozilla Thunderbird
  • OpenVPN
  • Opera
  • Opera Mail
  • Orbitum
  • PaleMoon
  • Postbox
  • QIP Surf
  • Qualcomm Eudora
  • SeaMonkey
  • Sleipnir 6
  • SmartFTP
  • Sputnik
  • Tencent QQBrowser
  • The Bat! Email
  • Torch
  • Trillian Messenger
  • UCBrowser
  • Uran
  • Vivaldi
  • WaterFox
  • WinSCP
  • Yandex

Harvested data is transmitted to the C2 via SMTP or FTP. The transfer method is dictated per the malware’s internal configuration, which also includes credentials (FTP or SMTP) for the attacker’s C2.

Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts.

For example, as we see in sample 4007480b1a8859415bc011e4981f49ce2ff7a7dd7e883fe70d9f304cbfefedea, a copy of RegAsm.exe (dropped into %temp%) is subsequently injected into. That new instance of RegAsm.exe is then responsible for handling the brunt of the malicious activity (data harvesting, exfiltration). We can also see frequent use of ‘Process Hollowing’ as an injection method.  Process Hollowing allows for the creation or manipulation of processes through which sections of memory are unmapped (hollowed) with that space then being reallocated with the desired malicious code.

Some examples get a litte less creative with regards to process creation and subsequent injection. For example, in sample b74bcc77983d587207c127129cfda146644f6a4078e9306f47ab665a86f4ad13, we can observe it creating hidden folders and processes in %temp%, and using those hidden process instances for the primary infection routines, and as the persistent process (set via Registry)

/c copy "C:/Users/admin1/Desktop/tes_10.exe" "%temp%FolderNname.exe" /Y‎

Execution Behavior

Upon launch, the malware will begin to gather local system information, install the keylogger module, as well as initializing routines for discovering and harvesting data. Part of this process includes basic WMI queries. Examples include:

start iwbemservices::execquery - select * from win32_operatingsystem
start iwbemservices::execquery - select * from win32_processor

Recent samples, with the ability to discover wireless network settings and credentials will spawn an instance of netsh.exe after a brief sleeping period (after launch). The syntax utilized initially is:

Netsh.exe wlan show profile

Persistence is typically achieved via registry key entry or scheduled task.

For example, in sample 7ec2b40879d6be8a8c6b6ba239d5ae547604ad2605de0d2501a4cca25915afa1 a copy of the executable file is dropped into ~AppDataLocalTemp, and targeted w/ the following syntax to generate the persistent task:

Schtasks.exe /Create /TN "UpdatesxjZWstBWrIuw" /XML C:UsersxxxxxxAppDataLocalTemptmp1718.tmp"

In the sample b74bcc77983d587207c127129cfda146644f6a4078e9306f47ab665a86f4ad13, we see an example of establishing persistence via the registry. Upon launch, an instance of the malware is dropped into %temp% as a hidden file, in a hidden folder.

/c copy "C:/Users/admin1/Desktop/tes_10.exe" "%temp%FolderNname.exe" /Y‎

The following command is then used to create the Autorun registry key:

/c reg add "HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows" /v Load /t REG_SZ /d "%temp%FolderNname.exe.lnk" /f‎


Agent Tesla has been around for several years now, and yet we still see it utilized as a commodity in many low-to-mildly sophisticated attacks. Attackers are continually evolving and finding new ways to use tools like Agent Tesla successfully while evading detection. At the end of the day, if the goal is to harvest and steal data, attackers will go with what works; thus, we still see ‘commodity’ tools like Agent Tesla, as well as Pony, Loki and other low-hanging fruit malware being used.  When combined with timely social engineering lures, these non-sophisticated attacks continue to be successful.  Detection and prevention are key to reducing exposure to these threats.  The SentinelOne platform is fully capable of detecting and preventing Agent Tesla-based malware campaigns.

Indicators & IOCs

Modify Registry (T1112)
Subvert Trust Controls: Install Root Certificate (T1553.004)
Hide Artifacts: NTFS File Attributes (T1564.004)
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)
Process Injection: Process Hollowing (T1055.012)
Data from Information Repositories (T1213)
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
Process Injection (T1055)
Unsecured Credentials: Credentials In Files (T1552.001)
System Information Discovery (T1082)
Query Registry (T1012)
OS Credential Dumping (T1003)
Scheduled Task (T1053)