Threat Watch

Agent Tesla Receives AMSI Targeting Update

ZDNet reports that researchers at Sophos have discovered two new variants of AgentTesla, a remote access trojan, which include new features for the malware to evade detection by tampering with Microsoft Anti-Malware Software Interface (AMSI). Using a series of base64 encoded data chunks to hide its malware payload from inspection, AgentTesla first attempts to disarm AMSI. If successful, the loader is then decoded, installed and can run without any interference. AgentTesla is capable of taking screenshots, logging keystrokes, stealing clipboard data, and stealing credentials for a variety of apps. Additionally, Sophos has found new versions of AgentTesla that target more apps, while also providing more C2 options for attackers.

ANALYST NOTES

As AgentTesla infections typically originate from email phishing attacks, Binary Defense recommends that users take great care when opening email attachments. Always make sure to check the extension of the attachment, as AgentTesla often masquerades EXE files as PDF files. Additionally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s Security Operations Task Force, a team that detects suspicious behaviors, investigates and responds quickly to stop threats.

https://www.zdnet.com/article/agent-tesla-ramps-up-its-game-in-bypassing-security-walls-attacks-endpoint-protection/