Agent Tesla malware evades security controls to infect systems

The weakest link in malware prevention is still the average user

Security researchers have discovered new evasive techniques Agent Tesla information stealer and Remote Access Tool (RAT) operators are using.

According to a new report from Sophos, the malware’s more recent versions use many methods to make sandbox and static analysis more difficult and evade endpoint detection.

The report also found Agent Tesla’s RAT malware altered code in Microsoft’s Anti-Malware Software Interface (AMSI) so AMSI-enabled endpoint security protection doesn’t work, allowing the payload to download, install, and run without being blocked.

According to the report, the malware usually arrives in a malicious spam email as an attachment, such as a .zip compressed file attachment the attacker claims contain a catalog for the recipient to review.

Researchers said the downloader also tries to get the memory address of AmsiScanBuffer — calling Windows’ amsi.dll with the Windows LoadLibraryA function to get the DLL’s base address, and then GetProcAddress using that base address and the “AmsiScanBuffer” procedure name to get the address of the function.

According to the report, once Agent Tesla gets the AmsiScanBuffer address, it patches the first 8 bytes of this function in memory. The patch’s effect on the AmsiScanBuffer routine forces AMSI to return an error (code 0x80070057), making all the AMSI memory scans appear to be invalid.

Related Resource

Employees behaving badly?

Why awareness training matters

Why awareness training matters - whitepaper from MimecastDownload now

“This sabotages endpoint protection software dependent on AMSI, by essentially making them skip further AMSI scans for dynamically loaded assemblies within the Agent Tesla process,” researchers said.

They added that since this happens early in the first stage downloader’s execution, it renders ineffective any AMSI protection against the subsequent components of the downloader, the second-stage loader, and the Agent Tesla payload itself.

Sean Gallagher, senior security researcher at Sophos, said that Agent Tesla malware has been active for more than seven years, yet it remains one of the most common threats to Windows users. 

“It has been among the top malware families distributed via email in 2020. In December, Agent Tesla payloads accounted for around 20% of malicious email attachment attacks intercepted by Sophos scanners. A variety of attackers use the malware to steal user credentials and other information from targets through screenshots, keyboard logging and clipboard capture,” he added.

Chris Hauk, consumer privacy champion at Pixel Privacy, told IT Pro that malware like Agent Tesla once again underscores that the weakest link in any line of malware defense is the average user. 

“Until users are educated and convinced not to open attachments or click links in emails and text messages, malware like Agent Tesla will continue to inflict itself on networks,” Hauk said.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
UK businesses urged to join four-day working week trial
Business operations

UK businesses urged to join four-day working week trial

17 Jan 2022