A new variant of an old trojan has now been activated, putting passwords and Windows PCs at risk. The Remote Access Trojan (RAT) is not new. It’s been around for quite a while. However, a new phishing campaign is currently delivering a customized variant of the remote access trojan, which aims to steal passwords and other sensitive information.
Agent Tesla – A Remote Access Trojan Resurfaces
This RAT, which is famously known as Agent Tesla, has not been built from scratch for this particular phishing campaign. It has been causing damage since 2014.
So, what is Agent Tesla? It is basically a keylogger. The main purpose of such malware is to record the keystrokes of a user as they type on a keyword. It is all noted on a file (without the user’s knowledge, of course) which is then transmitted back to the hacker’s server when the system is inactive / not in use, typically at midnight.
Security researchers have now discovered an active phishing campaign which is making use of this keylogging remote access trojan. By spying on the keystrokes, the RAT is stealing username, passwords, and other sensitive information that the user types. It is mainly active on Windows machines.
The RAT is delivered to victims via phishing emails, disguised as business emails. Some of the emails use click-bait file attachments with titles like “Order Requirements and Specs”. The files range from MS Excel files to MS Word files. As is common with malicious payloads, the files contain macros (snippets of dangerous code) which are triggered when the user interacts with the attachments. They download the remote access trojan on the machine, allowing the RAT to start its work of monitoring the keystrokes.
Agent Tesla works in stages. First it downloads PowerShell files, which schedules the nightly communication with the hacker’s server using scripted code. Along with scheduled reports, the trojan also runs frequent scans and pings the hacker if any new input is detected. This allows the hacker to surreptitiously spy on whatever the user is typing.
Moreover, the remote access trojan also infiltrates any bitcoin wallets active on the victim’s device. The PowerShell script also looks out for a valid bitcoin address. If found, the hacker modifies it to direct it to his own account so he can hijack all cryptocurrency transfers and directs them to his own accounts.
Agent Tesla is popular among cyber criminals because of its relatively cheap prices. A licence for the trojan can be brought on illicit markets for as low as 15USD / 1100 INR. Additionally, the coders of the remote access trojan also offer support and guidance on usage and installation, making it ‘user-friendly’ among novice hackers.
Don’t let the RAT in your house
Everyone knows once an actual rat is inside, it becomes a headache: setting traps, being alert all the time, checking where all it has scuttled to. It is much better to keep them out in the first place.
A malware is exactly the same. Best to tackle them before they get into the system. An antivirus scan can uncover keylogger activity. Microsoft’s own inherent security will warn you when you are trying to open / edit potentially dangerous files. But why let it come to that? With advanced email security, you can stop phishing emails from even causing a bother.
Logix’s Cisco Email ATP solution uses threat intelligence to scan all inbound emails for possible dangers. Additionally, it uses a ‘reputation’ measure to ward off emails from common spam sources. With reliable reporting and protection, you stay in the loop with regards to all the happenings in your mailbox. Choose stronger gatekeeping instead of firefighting. Keep email malware at bay!