Article Malware Security

Agent Tesla : Malware in Microsoft Office files

Agent Tesla is a professional malware that spies on its victims. It is spyware and its particularity is to be persistent thanks to its spyware.

Discovered for the first time in 2014, it is back in the TOP 5 of the most analysed malwares these last weeks. The DFi security team has recently noticed an increase in attacks linked to this type of malware.

Its preferred vector of infection is email. Most of the time, a fraudulent email is sent to victims with an attachment (similar to other current malware) of the Microsoft Office type (Word, Excel, etc.).

When the document is opened, it is asked to activate the macros so that the malware can spread:

Whatever its origin, when it is first executed, the malware performs persistence actions (using Auto-Run group and/or scheduled tasks) so that it is restarted each time the machine is started.

Process of setting up its persistence :

  • Creation of a folder in %APPDATA% with a “random” name (string of characters with no direct meaning)
  • The malware executable is placed in the created folder
  • Creation of a registry key of type REG_SZ in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\” pointing to the executable in %APPDATA%

or

  • Creating a scheduled task to launch the executable placed in %APPDATA% at system startup

To create doubt, a succession of processes are created and executed before arriving at the final executable that operates on the victim’s machine. Furthermore, in order to bypass antivirus software, all elements of the malware are offended.

In its operation, Agent Tesla, once launched on a machine, is able to :

  • Read keyboard keys (keylogger)
  • Read the clipboard (and modify it)
  • Steal user information
  • Steal stored data (browser passwords, cryptocurrency wallets, browser cookies, form data, etc.)
  • Steal FTP client login information (Filezilla, etc.)
  • Stealing VPN client credentials (Open-VPN, etc.)
  • Steal email credentials (IMAP, POP3, SMTP)
  • Record audio (PC microphone) and video (webcam)
  • Take screenshots

The malware uses different ways to exfiltrate data: SMTP, FTP, HTTP, TOR or Telegram. Depending on its version and what it can do on the victim’s machine.

Example of an attack :

Receiving a phishing email

Opening a Word file and activating the macros

Execution of the macro: download and execution of a first process by the malware

Cascading execution of several processes: deployment of the malicious strain

Setting up persistence and collecting initial data

Sending data to the remote server through HTTP

Recurrent sending of information to the attacker

In this example, the user receives a malicious email containing an attachment: a Word file. He opens it and receives a request to activate macros. The user realises that the file is in fact empty and closes it. When the file is closed, the macro is executed: a first executable is downloaded and executed.

The first executable of the malware contained in the macro is an element allowing to download another one A succession of executables (DLLs) are then downloaded and launched. Thus the malware is deployed on the victim’s system.

The last executable will then act to :

  • Download the latest version of the malware
  • Set up persistence by adding a registry key

Once the malware is in place, it will start to retrieve all available data. Once it has finished collecting information, it sends all the data in HTTP to the attacker’s server. Using persistence and keylogger capabilities, the malware will continue to send the information to the attacker on a recurring basis.

To avoid this situation, we recommend that you take the following preventive actions into consideration :

  • Make users as aware as possible
  • Never save data in browsers
  • Have a threat detection solution such as EPP or EDR
  • Apply a strong and unique password policy including the use of 2FA
  • Implement a registry key macro restriction policy (if possible)

And above all, always remain vigilant.

Appendix :

You can find the TTP of the Agent Tesla malware on the MITRE ATT&CK website: here

Glossary :

Malware: A general term for malicious software.

Spyware: Term for spyware / spyware

Keylogger : Software or part of malware that captures keystrokes

EPP : Endpoint Protection Platform

EDR : Endpoint Detection and Response

2FA : Two-factor authentication system (SMS, token, etc.)

TTP : Tactics Techniques Procedures

(Source : MITTRE ATT&CK)