Nyotron’s PARANOID Discovers and Blocks a New “Agent Tesla” Variant

Source: Krebs on Security

Earlier this month, Nyotron’s PARANOID prevented an attack that had managed to slip past the endpoint security solution installed on one of our customer’s endpoints. According to our analysis, the attack involved a new variant of the Agent Tesla trojan. It still had that “new car smell” — appearing in the wild mere hours before PARANOID detected and blocked it. 

Agent Tesla has been hiding in plain sight for years. Brian Krebs reports it has been infecting computers since 2014, and has been surging in popularity. The developers actually sell licenses to what they claim is a legitimate product on the web site agenttesla-dot-com. They also emphasizes that Agent Tesla is strictly “for monitoring your personel [sic] computer” and “it is not a malware.” 

But as Krebs points out, “…the Agent Tesla Web site and its 24/7 technical support channel (offered via Discord) is replete with instances of support personnel instructing users on ways to evade antivirus software detection, use software vulnerabilities to deploy the product, and secretly bundle the program inside of other file types, such as images, text, audio and even Microsoft Office files.”

Make no mistake: Agent Tesla is active spyware that can result in a major loss of sensitive data and intellectual property.

Agent Tesla collects personal information from the victim’s machine, steals data from the victim’s clipboard, can log keystrokes, capture screenshots and access the victim’s webcam. All the data it obtains is sent in encrypted form via SMTP protocol. It can kill running analysis processes and AV software. The spyware also performs basic actions to check whether it is running on a virtual machine or in debug mode, in an attempt to hide its capabilities and actions from researchers.

We have published a complete analysis including screenshots of how this attack was delivered, its objectives, how it was able to slip past our customer’s endpoint security software, and how PARANOID was able to detect and block it. Follow this link to read the full report. 

Here are the broad strokes: 

  • Attack vector: The malware was delivered as an ISO file, mounted as virtual CD-ROM and executed. 
  • Attack objective: To collect information and keystrokes from the victim’s machine, in order to gain control over different accounts and systems used by the victim.

PARANOID did exactly what we designed it to do: serve as a last line of defense in an organization’s multi-layered defense system to block known and unknown malware from causing any damage. 

This case is the latest evidence that AV and other endpoint security solutions are becoming less effective at identifying new variants of known threats like Agent Tesla.

While preparing our report, we uploaded the sample to VirusTotal. On first analysis most well-known security vendors, such as McAfee, BitDefender, ESET, Microsoft, TrendMicro, Cylance and Kaspersky did not detect it as malware. 

Follow this link to download and read the full report

Rene Kolga
Rene Kolga is Senior Director of Product and Marketing at Nyotron, the developer of PARANOID, the industry’s first OS-Centric Positive Security solution to strengthen your AV or NGAV protection. By mapping legitimate operating system behavior, PARANOID understands all the normative ways that may lead to damage and is completely agnostic to threats and attack vectors. When an attack attempts to delete, exfiltrate or encrypt files (among other things), PARANOID blocks them in real-time.

No posts to display