The Rise of Agent Tesla
In June of 2015, incident response experts at DigiTrust were alerted to a phishing email sent to one of our client organizations. The email contained a link to an order form which was downloaded and opened by an employee. The innocent looking document was not only weaponized with a malicious payload but also contained something new our experts had not seen before.
The malicious payload was called Agent Tesla, a keylogger that could capture keystrokes and email them back to the threat actor. The further our incident response team investigated, the more apparent it became that Agent Tesla was much more than a standard Keylogger.
What is Agent Tesla?
Agent Tesla is a relatively new piece of malware used for tracking keystrokes on a victim's computer. The malware can be secretly used by adversaries to collect account information, usernames, passwords, and credit card numbers. Although keyloggers are not built to extract files or remotely provide access a system, any information typed into documents, browsers, or messaging apps can be recorded. Threat actors can take “snapshots” of keystrokes and see everything that has been typed, searched, or accessed. While Agent Tesla can perform standard keylogging functions, it also has features that set it apart from similar pieces of malware.
Access & Support
Tesla has been growing in popularity for a variety of reasons including availability and price. Agent Tesla is readily available, and pricing varies depending on where the threat actor finds it online. From forums claiming to have free “cracked” versions to www.AgentTesla[.]com providing access ranging from $9-$30, Agent Tesla is not difficult to acquire. Threat actors downloading the keylogger directly from Agent Tesla’s website receive 24/7 support and software updates.
Delivery, Access, and Gaining Entry
The delivery of Agent Tesla onto a victim’s computer is often accomplished through phishing, or sending emails with an infected attachment. Agent Tesla also has a feature that allows it to autorun from a USB stick. Currently, Agent Tesla can only be used on Windows operating systems (all versions) while use on other platforms such as Mac or Linux is not an option.
More Than Just a Keylogger
Searching for Agent Tesla online returns pages of results providing access to or discussing Agent Tesla. When we begin to examine Agent Tesla's features, it becomes clear that this keylogger is more robust than
Beyond the Basics
The list of features and options for Agent Tesla is extensive. For clarity and cohesiveness, we have outlined some of the core features and functions in this article. While keyloggers were once only known for capturing keystrokes, Agent Tesla has expanded its capabilities far beyond the standard.
Click the tabs below to learn more
- Password recovery
- Screen capture & Webcam
The ability to do more than just record keystrokes is beyond the standard functionality of most keyloggers. Agent Tesla has a "downloader" feature, allowing the adversary to download and run files on a victim's system. This feature alone shows that Agent Tesla could be used for more involved intrusions than a standard keylogger.
The primary goal of recording keystrokes is to gain valuable information such as username and passwords. Agent Tesla has a password recovery tool used to steal passwords from all major browsers including Chrome, Firefox, Internet Explorer, Opera, and Yandex.
Examining Agent Tesla’s settings show that it has a desktop and webcam capture feature in addition to the keylogger. These controls can be toggled on and off during the set up of Agent Tesla before being sent to a potential target.
In short, Agent Tesla can capture snapshots of the victim's keystrokes, their desktop, and pictures from their webcam.
Desktop, WebCam, Clipboard
Most keyloggers have multi-language support, usually supporting three to five languages. Agent Tesla claims to support all languages; an entire list is not provided, but if this is true, it only increases the pool of threat actors who will be using Agent Tesla.
Customization & Control
There are two main pieces to using Agent Tesla. The first is the interface allowing for customization of Agent Tesla's functions.
If a threat actor wants to customize Agent Tesla before sending it to a potential target, this interface allows them this flexibility. From the visibility of the install to how the victim will interact with Agent Tesla is controlled from this interface.
The second piece is the actual dashboard of Agent Tesla. The threat actor monitors the connected systems and controls Agent Tesla from this dashboard. The dashboard is a command center, and the adversary is at the controls. Let’s take a look at both the interface and the dashboard.
Agent Tesla needs to be enabled (turned on) by the target themselves; this can require a level of obfuscation. Agent Tesla can create a false message to trick the target into providing access. The false message might read “Update Adobe Flash Player,” after the target clicks “ok” they have just told the computer to “install Agent Tesla.”
Composing Fake Messages
The following shows how Agent Tesla can create a fake pop-up message to deceive a target. The threat actor can create a heading (#1), a message for the pop-up box (#2), and can even include a particular icon (#3). The result is a fake pop-up message used to trick the victim into installing Agent Tesla.
The resulting false message created by Agent Tesla.
The Command Center
The dashboard is a single window with simple navigation tools providing the adversary a clear view of their connected “clients."
All collected information such as keystroke logs (#1), time stamps (#2), and IP addresses (#3) can be found in the dashboard. The column on the left side of the dashboard allows for quick access to collected passwords, screenshots, and keystrokes (#4).
Agent Tesla will keep logs of the victim's keystrokes and where those keystrokes occurred.
If the victim opens Notepad, Outlook, or even Facebook, the blue text tells the adversary where these keystrokes were made. Standard black text with no formatting will indicate the actual written text of the victim, such as a username or password. The final indicator color is green; the green text shows the function keys that were used.
The Danger of Automation
The ability to automate may be one of the most dangerous features of Agent Tesla. An adversary can automate the keylogger to take snapshots of keystrokes, the desktop, and webcam images at timed intervals. If the threat actor wanted to take a snapshot every 10 minutes, Agent Tesla could do just that. The adversary can view what was collected in the Agent Tesla logs (or via email) and keep the information they find most valuable.
Although Agent Tesla is not completely hands off, any level of automation can make collecting information faster and simpler for adversaries. Automation, interface simplicity, and advanced features are just some of the reasons Agent Tesla’s use has expanded in 2015 and 2016.
What To Do?
To protect against Agent Tesla, we need to be cautious in opening our email attachments or visiting unknown web links. However, if a keylogger was already inside the system, what would we do? How would we know? When we begin to ask these questions at the enterprise or organizational level, the answers can become much more involved. With malware like Agent Tesla having the ability to download and run additional malware, the possible damage extends beyond collecting keystrokes. Although there are several pieces of software claiming to be able to find keyloggers, these tools are not able to establish any situational context to understand how deep the intrusion may go.
Security Automation, The Hard Truth
Full automation in information
security is not yet a reality, which is precisely why security software
may only eliminate the symptom as opposed to alleviating the root of the
problem. Automated security software cannot determine or evaluate the
context behind an intrusion. Security experts need to build as much
context as possible around incidents involving malware like Agent Tesla
to effectively investigate, contain, and remediate.
By performing incident response, we can understand the complete who, what, when, where, and why of Agent Tesla within a victim's system. The ability to root-cause provides a better chance of a thorough recovery and better protection against such intrusions in the future. DigiTrust’s people, processes, and technology are dedicated to not just finding the needle in the haystack, but getting to the root of intrusions like Agent Tesla and eliminating it.
To learn more about DigiTrust’s managed security and consulting services you can contact us using the form below or call (310) 696-4500.
The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.