Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Agent Tesla has used wmi queries to gather information from the system.[2] |
|
| Enterprise | T1555 | 从密码存储中获取凭证 |
Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.[3] |
|
| .003 | Credentials from Web Browsers |
Agent Tesla can gather credentials from a number of browsers.[2] |
||
| Enterprise | T1112 | 修改注册表 |
Agent Tesla can achieve persistence by modifying Registry key entries.[4] |
|
| Enterprise | T1115 | 剪贴板数据 |
Agent Tesla can steal data from the victim’s clipboard.[5][1][6][2] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.[3] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Agent Tesla can add itself to the Registry as a startup program to establish persistence.[1][4] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Agent Tesla has the capability to kill any running analysis processes and AV software.[6] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.[4] |
|
| Enterprise | T1113 | 屏幕捕获 |
Agent Tesla can capture screenshots of the victim’s desktop.[5][7][1][6][2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Agent Tesla has used HTTP for C2 communications.[7][6] |
| .003 | 应用层协议: Mail Protocols |
Agent Tesla has used SMTP for C2 communications.[8][6][2] |
||
| Enterprise | T1560 | 归档收集数据 |
Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.[5] |
|
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.[5][2][4] |
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
Agent Tesla has the ability to extract credentials from configuration or support files.[4] |
| .002 | 未加密凭证: Credentials in Registry |
Agent Tesla has the ability to extract credentials from the Registry.[4] |
||
| Enterprise | T1185 | 浏览器会话劫持 |
Agent Tesla has the ability to use form-grabbing to extract data from web data forms.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[1] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[3] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Agent Tesla has been executed through malicious e-mail attachments [2] |
| Enterprise | T1218 | .009 | 系统二进制代理执行: Regsvcs/Regasm |
Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.[4] |
| Enterprise | T1082 | 系统信息发现 |
Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.[1][6][3] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Agent Tesla can collect the username from the victim’s machine.[7][1][3] |
|
| Enterprise | T1124 | 系统时间发现 |
Agent Tesla can collect the timestamp from the victim’s machine.[7] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.[7][4] |
|
| .002 | Wi-Fi Discovery |
Agent Tesla can collect names and passwords of all Wi-Fi networks to which a device has previously connected.[3] |
||
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks.[3] |
|
| Enterprise | T1125 | 视频捕获 |
Agent Tesla can access the victim’s webcam and record video.[7][5] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
Agent Tesla can collect account information from the victim’s machine.[7] |
| Enterprise | T1105 | 输入工具传输 |
Agent Tesla can download additional files for execution on the victim’s machine.[5][7] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Agent Tesla can log keystrokes on the victim’s machine.[5][7][6][2][4] |
| Enterprise | T1057 | 进程发现 |
Agent Tesla can list the current running processes on the system.[6] |
|
| Enterprise | T1055 | 进程注入 |
Agent Tesla can inject into known, vulnerable binaries on targeted hosts.[4] |
|
| .012 | Process Hollowing |
Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.[4] |
||
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
The primary delivered mechanism for Agent Tesla is through email phishing messages.[2] |
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Agent Tesla has created hidden folders.[4] |
| .003 | 隐藏伪装: Hidden Window |
Agent Tesla has used |
||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Agent Tesla has achieved persistence via scheduled tasks.[4] |
Groups That Use This Software
References
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
- Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
- Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
- James Arndt. (2023, February 21). The Rise of Agent Tesla: Understanding the Notorious Keylogger. Retrieved January 10, 2024.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.