Researchers found instances of cybercriminals using a new variant of the old keylogger and remote access trojan (RAT) called Agent Tesla.
The trojan, which has been employed for cybercrimes since 2014, is being used to perform various online scams, including user account control bypass and can also go undetected by the security measures offered by windows defender User account control (UAC).
UAC was introduced with Microsoft’s Windows Vista and Windows Server 2008 to prevent malware attacks. However, the .NET-based keylogger ‘Agent Tesla’ can bypass the UAC and executes a payload releasing a multi-stage attack chain on the user’s device.
Furthermore, it escapes detection using its enhanced capabilities, which makes it even more dangerous. .NET framework was originally used by software developers, but it can also be exploited to launch malware.
Agent Tesla RAT
According to a research by cloud security company Zscaler, Agent Tesla was made using the Quantum Builder software, which helps create malicious LNK files (Windows shortcut). The trojan launches infected LNK files to harvest credentials, execute malicious payloads, and gain initial access.
Quantum Builder is available on sale for 189 euros for a month which makes it easily accessible to cybercriminals. Its prices range from 189 euros to 2000 euros. It promises to make a payload — malware that can perform any task it is programmed to do — and appear like a legitimate file such as .png, .mp4, .doc formats, etc.
APT groups and botnets, among others, have been using Quantum builder to create malicious payloads. It offers many features to fulfil cybercrimes and boasts of being updated regularly in its capabilities.
Variants of Agent Tesla
AgenTesla, AgentTesla and Negasteal are some of the names associated with Agent Tesla malware.
While no gang or group has been confirmed to be using this malware, it has been linked to the Lazarus Group. This is because of the similarity in using source code and tactics, techniques and procedures (TTPs).