S0331 Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.123
| Item | Value |
|---|---|
| ID | S0331 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 29 January 2019 |
| Last Modified | 21 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Agent Tesla can collect account information from the victim’s machine.5 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Agent Tesla has used HTTP for C2 communications.57 |
| enterprise | T1071.003 | Mail Protocols | Agent Tesla has used SMTP for C2 communications.572 |
| enterprise | T1560 | Archive Collected Data | Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Agent Tesla can add itself to the Registry as a startup program to establish persistence.16 |
| enterprise | T1185 | Browser Session Hijacking | Agent Tesla has the ability to use form-grabbing to extract data from web data forms.2 |
| enterprise | T1115 | Clipboard Data | Agent Tesla can steal data from the victim’s clipboard.4172 |
| enterprise | T1555 | Credentials from Password Stores | Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.3 |
| enterprise | T1555.003 | Credentials from Web Browsers | Agent Tesla can gather credentials from a number of browsers.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.3 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.426 |
| enterprise | T1203 | Exploitation for Client Execution | Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.6 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Agent Tesla has created hidden folders.6 |
| enterprise | T1564.003 | Hidden Window | Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Agent Tesla has the capability to kill any running analysis processes and AV software.7 |
| enterprise | T1105 | Ingress Tool Transfer | Agent Tesla can download additional files for execution on the victim’s machine.45 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Agent Tesla can log keystrokes on the victim’s machine.45726 |
| enterprise | T1112 | Modify Registry | Agent Tesla can achieve persistence by modifying Registry key entries.6 |
| enterprise | T1027 | Obfuscated Files or Information | Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.1 Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.3 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | The primary delivered mechanism for Agent Tesla is through email phishing messages.2 |
| enterprise | T1057 | Process Discovery | Agent Tesla can list the current running processes on the system.7 |
| enterprise | T1055 | Process Injection | Agent Tesla can inject into known, vulnerable binaries on targeted hosts.6 |
| enterprise | T1055.012 | Process Hollowing | Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.6 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Agent Tesla has achieved persistence via scheduled tasks.6 |
| enterprise | T1113 | Screen Capture | Agent Tesla can capture screenshots of the victim’s desktop.45172 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.009 | Regsvcs/Regasm | Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.6 |
| enterprise | T1082 | System Information Discovery | Agent Tesla can collect the system’s computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.173 |
| enterprise | T1016 | System Network Configuration Discovery | Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.56 |
| enterprise | T1033 | System Owner/User Discovery | Agent Tesla can collect the username from the victim’s machine.513 |
| enterprise | T1124 | System Time Discovery | Agent Tesla can collect the timestamp from the victim’s machine.5 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Agent Tesla has the ability to extract credentials from configuration or support files.6 |
| enterprise | T1552.002 | Credentials in Registry | Agent Tesla has the ability to extract credentials from the Registry.6 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Agent Tesla has been executed through malicious e-mail attachments 2 |
| enterprise | T1125 | Video Capture | Agent Tesla can access the victim’s webcam and record video.54 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Agent Tesla has he ability to perform anti-sandboxing and anti-virtualization checks.3 |
| enterprise | T1047 | Windows Management Instrumentation | Agent Tesla has used wmi queries to gather information from the system.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0083 | SilverTerrier | 8 |
References
-
Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. ↩↩↩↩↩↩↩
-
Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. ↩↩↩↩↩↩↩↩
-
Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. ↩↩↩↩↩↩↩
-
The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. ↩↩↩↩↩↩↩↩↩↩
-
Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. ↩↩↩↩↩↩↩↩
-
Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. ↩