Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Agent Tesla can collect account information from the victim’s machine.[4] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Agent Tesla has used HTTP for C2 communications.[4][5] |
| .003 | Application Layer Protocol: Mail Protocols |
Agent Tesla has used SMTP for C2 communications.[4][5][2] |
||
| Enterprise | T1560 | Archive Collected Data |
Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.[6] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Agent Tesla can add itself to the Registry as a startup program to establish persistence.[1] |
| Enterprise | T1115 | Clipboard Data |
Agent Tesla can steal data from the victim’s clipboard.[6][1][5][2] |
|
| Enterprise | T1555 | Credentials from Password Stores |
Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.[3] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.[3] |
|
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.[6][2] |
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Agent Tesla has used |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Agent Tesla has the capability to kill any running analysis processes and AV software.[5] |
| Enterprise | T1105 | Ingress Tool Transfer |
Agent Tesla can download additional files for execution on the victim’s machine.[6][4] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Agent Tesla can log keystrokes on the victim’s machine.[6][4][5][2] |
| Enterprise | T1185 | Man in the Browser |
Agent Tesla has the ability to use form-grabbing to extract data from web data forms.[2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[1] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[3] |
|
| Enterprise | T1057 | Process Discovery |
Agent Tesla can list the current running processes on the system.[5] |
|
| Enterprise | T1113 | Screen Capture |
Agent Tesla can capture screenshots of the victim’s desktop.[6][4][1][5][2] |
|
| Enterprise | T1082 | System Information Discovery |
Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.[1][5][3] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Agent Tesla can collect the IP address of the victim machine.[4] |
|
| Enterprise | T1033 | System Owner/User Discovery |
Agent Tesla can collect the username from the victim’s machine.[4][1][3] |
|
| Enterprise | T1124 | System Time Discovery |
Agent Tesla can collect the timestamp from the victim’s machine.[4] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Agent Tesla has been executed through malicious e-mail attachments [2] |
| Enterprise | T1125 | Video Capture |
Agent Tesla can access the victim’s webcam and record video.[4][6] |
|
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Agent Tesla has he ability to perform anti-sandboxing and anti-virtualization checks.[3] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0083 | SilverTerrier |
References
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
- Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
- The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.