A new version of the remote access Trojan known as Agent Tesla has resurfaced, this time distributing what researchers have found is an updated version of the malware by using an infected email attachment that aims to steal everything from username and password credentials to a victim’s cryptocurrency.
This malware is actually pretty common and has been around since at least 2014. Researchers at Fortinet in a newly published threat research report note that it’s via a Microsoft Excel document attached to a spam email whereby the malware downloads and executes several pieces of code. “This malware,” the researchers explain, “is used to hijack bitcoin address information and deliver a new variant of Agent Tesla onto the victim’s device.” Regarding Agent Tesla, the researchers continue: “Most attackers like to spread malware in phishing emails. As a result, new phishing campaigns are detected every day by FortiGuard Labs. People should be more careful when opening files attached to email.”
Per reporting from ZDNet, the email that’s used as a vector for this attack is crafted to resemble a legitimate business email, with one such sample malicious email as part of this campaign including an Excel attachment titled “Order Requirements and Specs” that the recipient is asked to open. Once they do so, Agent Tesla is downloaded onto the victim’s machine.
Earlier this year, Sophos researchers warned that Agent Tesla is a particularly resilient and pernicious threat. “For many months, it has remained among the top families of malware in malicious attachments caught by Sophos. Because of this sustained stream of Agent Tesla attacks, we believe that the malware will continue to be updated and modified by its developers to evade endpoint and email protection tools.” It was also noted that among the new abilities of this updated Agent Tesla variant is that it can now take data from the Windows clipboard, in addition to the number of applications it can target having been expanded “considerably.”
The protections that are recommended to help keep users safe from threats like these are the same as always and no surprise. Sophos, for example, notes that the email accounts used to spread Agent Tesla tend to be legitimate accounts that have been compromised. For that reason, one should never click open an email thoughtlessly, nor automatically open any attachments those emails contain. “Organizations and individuals should, as always, treat email attachments from unknown senders with caution, and verify attachments before opening them,” Sophos adds.
Related coverage: