Agent Tesla

Agent Tesla is a modular, monitoring software written in .Net, currently being sold online as a legal keylogger product for personal use. It first appeared on a Turkish-language Wordpress site back in 2014, and has since seen a recent surge of activity through its current domain, agenttesla-dot-com. Buyers can purchase the software cheaply ($15- $69) and choose from different packages offering more support and functionality. The official site claims that those who use Agent Tesla for malicious purposes will have their product licenses revoked; however, Agent Tesla’s 24-hour support staff on Discord has instructed users on ways to use the software maliciously, including evading anti-virus detection, bundling the software inside of other files (like Microsoft Office files), and utilizing vulnerabilities to covertly deploy the software. Agent Tesla includes a user-friendly, detailed control panel that allows buyers to customize what software and applications they want to target upon deployment.

Agent Tesla’s aim is to steal information and send it back to a C2 (command-and-control) server. It can extract user credentials from browsers, mail clients, and FTP (file transfer protocol) clients. It can log clipboard data, capture the device’s screen, capture video, and capture form data. Agent Tesla’s functionality allows it to auto-start after system reboots, delay its own execution, and disable important utilities like Task Manager.

The following are applications and services that Agent Tesla can monitor for passwords:

  • Chrome

  • Firefox

  • Internet Explorer

  • Yandex

  • Opera

  • Outlook

  • Yahoo

  • Thunderbird

  • IncrediMail

  • Eudora

  • FileZilla

  • WinSCP

  • FTP Navigator

  • Paltalk

  • Internet Download Manager

  • JDownloader

  • Apple keychain

  • SeaMonkey

  • Comodo Dragon

  • CoolNovo

  • Torch

  • UC Browser

  • Flock

  • TheBat!

  • PocoMail

  • FoxMail

  • Opera Mail

  • Pidgin

  • NO-IP

  • PostBox

  • WinSCP

  • CoreFTP

  • FTPCom

  • IDM

  • FlashFXP

  • WS_FTP

  • SmartFTP

  • DynDNS

Cisco reports that Agent Tesla was distributed along with Loki as part of a malware campaign in October 2018. By exploiting CVE-2017-0199 and CVE-2017-11882, Agent Tesla can execute arbitrary code. An RTF file is downloaded and opened from inside a malicious Word document. The delivery of this malware utilizes several other file formats: EXE, XLS, DOC, DOCX, and VBS. Only Windows devices with Microsoft Office installed can be affected.

On October 30th, 2018 Agent Tesla’s official site posted a notice claiming that they are temporarily suspending product sales. The notice states that many malicious accounts have been banned from using the software, and that more careful measures will be taken in the future when licensing the product. They also claim to have removed certain functionality: webcam capturing, process killers, downloaders, persistence, and anti-antivirus measures.

Reporting and Technical Details

  • January 2018: Analyzing an Agent Tesla campaign: from a word document to the attacker credentials (ThisIsSecurity)

  • August 2018: Agent Tesla activity spikes 100% in 3 months (lastline)

  • October 2018: Who Is Agent Tesla? (KrebsonSecurity)

Image Source: Lastline