The article examines a stealthy variant of the Agent Tesla Remote Access Trojan, highlighting its advanced evasion techniques and data-stealing capabilities. It emphasizes the superiority of deep learning-based detection over traditional signature-based tools in identifying this threat early. #AgentTesla #DSXBrain
Keypoints
- Agent Tesla is a Remote Access Trojan active since 2014, designed to steal keystrokes, clipboard data, and credentials.
- The latest variant uses multi-layered evasion, anti-analysis techniques, and obfuscation to avoid detection.
- It exfiltrates stolen data through Telegram, exploiting common organizational blind spots.
- Detection by the DSX Brain deep learning engine occurred a day before VirusTotal upload, outperforming legacy security vendors.
- Signature-based and behavioral detection tools struggle due to Agent Tesla’s code morphing and mimicking legitimate system activities.
- Security teams should enhance network monitoring for abuses of legitimate platforms and improve detection across the entire attack lifecycle.
- Preemptive security approaches are recommended to keep pace with evolving threats like Agent Tesla variants.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Agent Tesla uses scripting to execute payloads and manipulate system activities (‘…can interact with the Windows registry, create temporary files, launch additional programs…’).
- [T1112] Modify Registry – The malware modifies access control lists and Windows registry entries to maintain persistence.
- [T1071] Application Layer Protocol – Data exfiltration leverages Telegram as a C2 communication channel (‘…ships everything off to its controllers using Telegram as the communication channel’).
- [T1497] Virtualization/Sandbox Evasion – The variant includes anti-analysis techniques that detect cybersecurity tools and execution timing to evade detection (‘…checks execution timing and hunt for telltale signs of cybersecurity tools’).
- [T1036] Masquerading – The malware employs obfuscation and code morphing to evade signature-based detection systems (‘…signature-based detection becomes useless when attackers can trivially modify their code to evade static analysis’).
Indicators of Compromise
- [File Hashes] Examples of unique hashes associated with the Agent Tesla variant detected, including the sample uploaded to VirusTotal and others referenced internally (hash1, hash2, and 2 more hashes).
- [Domains] Telegram used as a command-and-control channel for data exfiltration; specific Telegram domains or endpoints monitored for suspicious traffic.
- [File Names] Temporary files created by the malware during execution to facilitate persistence and data collection.
Read more: https://www.deepinstinct.com/blog/dianna-explains-2-agent-tesla-a-better-rat