According to reports, Agent Tesla malware variants are now using new methods to try and eliminate endpoint antivirus security.
The Windows spyware now targets Microsoft’s Antimalware Scan Interface (AMSI) in a bid to beat endpoint protection software, while also employing a multi-stage installation process and exploiting Tor and Telegram messaging API to communicate with a command-and-control (C2) server.
Cybersecurity firm Sophos said the changes are yet another sign of Agent Tesla’s continuous evolution intended to make a sandbox and static analysis more problematic.
Agent Tesla, discovered in 2014, is a commercial RAT written in .NET and comprises and is a renowned information stealer. The malware is often spread through phishing drives and malicious email attachments and is used to yield account credentials, snip system data, and deliver remote access to an affected PC to invaders.
“The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more C2 options to their attacker customers,” Sophos researchers said.
Agent Tesla has been deployed in a number of attacks since late 2014, with other features combined over time that lets it oversee and gather the victim’s keyboard input, take screenshots, and exfiltrate credentials belonging to various software such as VPN clients, FTP and email clients, and web browsers.