Trojan.Win32.AgentTesla.a

General Explanation

Type: Trojan

Degree of destruction: low

Prevalence: high

Used Vulnerability: CVE-2017-8570 and CVE-2017-11882

Names of the malware:

Trojan.Win32.AgentTesla.a(Padvish)

Trojan.Win32.AgentTesla.cG(Padvish)

Trojan:MSIL/AgentTesla.AL!MTB(Microsoft)

AgentTesla-FCYX!72D3FB6A5E15(McAfee)

What is Trojan?

Trojans are malware types that introduced themselves as healthy and legal software and act similar to practical and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching to an email, etc. are ways that Trojans are using to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.

What is Agent Tesla malware?

Agent Tesla is a type of Trojans that generally distributes through malicious Office files attached to emails, and its main activities are collecting pressed keys, mouse movements, different login information, stored data in the clipboard, snapping the victim’s desktop, and sending all of this information to its server. Agent Tesla files contain a set of quantified variables that malware uses at the time of execution to embody which one of the malware features must be executed.

Technical Explanation

Signs of infection

One of the signs of infection to this malware is:

a screenshot in the %AppData% path; for example, in C:\Users\*\AppData\Roaming\ScreenShot\ScreenShot.jpg

a file with a name similar to a log. tmp that is updated by pressing a key on the keyboard or moving the mouse.

Registry key to automatically run malware which is generally in the %AppData% path.

Action

Removing the monitoring processes

Hence, this malware protects itself from any monitoring software that tries to detect and remove these kinds of software. Accordingly, it compares the name of system processes or the existing windows with the list of any monitoring software, and it will end the process if it can find any match in the list. The following list is one of the processes that Agent Tesla malware end them.

Collecting information

Agent Tesla can collect vast information from the victim’s system. The following items are repeatedly and every few seconds or minutes are collecting and sending to the malware server.

taken picture from victim’s webcam (if it exists)

Registered screen shito from the victim’s desktop

Existing data inside the clipboard

Pressed keys and the movements of the mouse

Malware strives to send the extracted registered username and password from different software in the victim’s system.

The following software is among software that malware tries to steal their information.

specifications of the victim’s system will send to the server as sending package:

current username

PC name

Operation System version

Processor specifications

RAM storage space

The IP address for the victim’s system

The malware connects to its server through the following methods:

HTTP protocol: the malware will send the desired data with the Triple-DES algorithm which is encrypted by the POST method.

SMTP protocol: collected information will be sent in the form of an HTML file to the embedded email in the malware file.

FTP protocol: the malware will upload the stolen data on its FTP server

Telegram channel: the malware will send the collected information to a telegram channel.

The other features of this malware

AgentTesla malware has other features upon the existing configuration variables which decide whether runs them. These features are:

upgrading the access level using the following registry keys:

“HKCU\software\classes\ms-settings\shell\open\command”

“HKCU\software\classes\mscfile\shell\open\command”

disabling some of the managing tools of Windows OS such as Task Manager, Folder Options, Run, Control Panel, cmd.exe, and regedit.exe

Distributing malware to Removable and CDRom drives: a version of the malware will place on these drives. The malware hides all files and directories and symmetrically creates a ‘.ink’ file for each file which will run the malware with a click.

Running the execution files: the malware extracts the existing files inside its Resource section and as the new process.

Downloading desired files, storing them inside the Temp folder, and also executing them.

Removing the malware from the victim’s system

Periodically, the malware sends the “uninstall” command to its server and it will remove itself if acceptable. Then we have the following patterns:

removing the malware file by moving it to the Temp folder

removing the adjusted registry keys for the malware

ending the malware processes

in some cases, it will shut the system down.

How to deal with this problem and disinfect the system

Padvish antivirus will detect and prevent this malware. It is recommended to prevent opening any suspicious emails, according to that one of the main ways to distribute this malware is through email attaches. Also, use updated Office software.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>