Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims.
Typically spread through social engineering lures, the Windows spyware not only now targets Microsoft’s Antimalware Scan Interface (AMSI) in an attempt to defeat endpoint protection software, it also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server.
Cybersecurity firm Sophos, which observed two versions of Agent Tesla — version 2 and version 3 — currently in the wild, said the changes are yet another sign of Agent Tesla’s constant evolution designed to make a sandbox and static analysis more difficult.
“The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more C2 options to their attacker customers,” Sophos researchers noted.
A .NET based keylogger and information stealer, Agent Tesla has been deployed in a number of attacks since late 2014, with additional features…