According to Security researchers at Sophos, there are new delivery and evasion techniques employed by Agent Tesla to get around endpoint security and defense barriers. While the Trojan formerly relied on social engineering lures, now the Windows spyware targets Microsoft's Antimalware Scan Interface (AMSI) to infiltrate endpoint protection software.
Also, it employs a multi-stage installation process using Tor and Telegram messaging API to communicate with its command-and-control (C2) server which helps to evade detection.
How Agent Tesla bypass Sandbox defenses and Malware scanners?
SophosLabs has been tracking Agent Tesla, and the multiple actors using the malware, including the recent RATicate campaigns.
The researchers were able to discover new variants in a growing number of attacks; and as recent as December of 2020, Agent Tesla accounted for about 20 percent of email phishing attacks detected in Sophos customer telemetry. And the different variants of the malware tagged as Agent Tesla v2 and v3; with the key differences between v2 and v3 seen only on success in providing more C2 options and the success rate of the malware against security defenses.
The multi-stage malware installation process has also received significant upgrade, as the first-stage malware downloader now attempts to modify code in the Antimalware Scan Interface (AMSI) in a bid to skip scans of second-stage malicious payloads, such as those from Pastebin.
How IT admins can safeguard against Agent Tesla
Agent Tesla mainly engages email attachments to spread, therefore it is recommended that organizations should install an intelligent, security solution that can detect and block suspicious emails and attachments before they reach employees' inboxes.
Additionally, it is advised to implement recognized authentication standards to verify that emails are what they claim to be, while constantly educating employees on how to spot suspicious emails and what to do when they encounter such maliciously crafted emails.