AgentTesla is a notorious and widely-used Remote Access Trojan (RAT) that has been plaguing Windows users since 2014. This malware is designed to steal sensitive information, monitor user activity, and provide attackers with remote control over infected systems. AgentTesla is continuously updated and sold as Malware-as-a-Service (MaaS) 1, making it readily available to cybercriminals of all skill levels. This article delves into the intricacies of AgentTesla, covering its capabilities, attack vectors, and mitigation strategies.
AgentTesla is a .NET-based RAT that primarily targets Microsoft Windows operating systems 2. It is known for its versatility and ability to steal a wide range of sensitive data. AgentTesla was the 6th most prevalent malware variant in 2021, according to the Check Point 2022 Cybersecurity Report, attacking an estimated 4.1% of corporate networks 3. It was also the second most common infostealer malware variant globally behind Formbook malware. Furthermore, a report by Israeli cyber security solution provider Check Point's “Global Threat Impact Index” published in early November 2022 stated that AgentTesla continued to be one of the “Most Wanted Malwares” in the world, affecting over 7% of enterprises 4. AgentTesla has been rebranded as OriginLogger, highlighting its adaptability and pervasiveness in the threat landscape 5.
AgentTesla has the capability to steal a wide range of sensitive data, including:
AgentTesla not only poses a direct threat to individuals by compromising their personal and financial information but also has a significant financial impact on organizations. It has been utilized by a syndicate of Nigerian fraudsters to reroute financial transactions from corporate organizations, including oil and gas companies in South East Asia, the Middle East, and North Africa 5. Moreover, AgentTesla is known to be utilized in Business Email Compromise (BEC) attacks, where cybercriminals manipulate or impersonate trusted individuals within a company via email to deceive employees into taking actions that compromise security or financial integrity 5.
Analysis of AgentTesla and OriginLogger victim data reveals that thousands of computers are compromised regularly, primarily in the United States, China, and Germany 5. This widespread distribution highlights the global reach and impact of this malware.
AgentTesla operates within the MaaS model, where threat actors known as Initial Access Brokers (IABs) outsource their specialized skills for exploiting corporate networks to affiliate criminal groups 1. As first-stage malware, AgentTesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware. This model makes AgentTesla readily available to a wider range of attackers with varying levels of technical expertise, increasing its potential for widespread damage.
Several research papers and reports have been published on AgentTesla, providing valuable insights into its behavior, impact, and evolution.