According to research published, two updated versions of Agent Tesla, the widely used information stealer, and remote access trojan (Rat), now contain new evasive techniques designed to disable endpoint protection tools on target systems before delivering malware payloads by Sophos.
The new versions of Agent Tesla, which generally arrive as a malicious attachment to a phishing email, incorporate a multi-stage process. At first, it uses a .NET downloader to grab chunks of malware from legitimate third-party websites – such as Pastebin – and knits them together to build the loader that carries the final payload.
Meanwhile, it now attempts to fiddle with Microsoft’s Anti-Malware Software Interface (AMSI) to disable any present AMSI-enabled endpoint protection tools that would usually block the payload from downloading, installing, and running. AMSI is a feature of Windows that lets apps and services integrate with installed security tools.
“Agent Tesla malware has been active for more than seven years, yet it remains one of the most common threats to Windows users,” said Sean Gallagher, a senior security researcher at Sophos. “It has been among the top malware families distributed via email in 2020. In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners. Various attackers use the malware to steal user credentials and other information from targets through screenshots, keyboard logging, and clipboard capture.