Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Agent Tesla
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Agent Tesla
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Agent Tesla

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)
ID: S0331
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 29 Jan 2019
Last Modified: 21 Apr 2021

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Agent Tesla can collect account information from the victim’s machine.(Citation: DigiTrust Agent Tesla Jan 2017)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Agent Tesla has used HTTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)
.003 Application Layer Protocol: Mail Protocols

Agent Tesla has used SMTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Agent Tesla can add itself to the Registry as a startup program to establish persistence.(Citation: Fortinet Agent Tesla April 2018)(Citation: SentinelLabs Agent Tesla Aug 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Agent Tesla can gather credentials from a number of browsers.(Citation: Bitdefender Agent Tesla April 2020)

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.(Citation: Talos Agent Tesla Oct 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Agent Tesla has created hidden folders.(Citation: SentinelLabs Agent Tesla Aug 2020)
.003 Hide Artifacts: Hidden Window

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.(Citation: Malwarebytes Agent Tesla April 2020)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Agent Tesla has the capability to kill any running analysis processes and AV software.(Citation: Fortinet Agent Tesla June 2017)
Enterprise T1056 .001 Input Capture: Keylogging

Agent Tesla can log keystrokes on the victim’s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

The primary delivered mechaism for Agent Tesla is through email phishing messages.(Citation: Bitdefender Agent Tesla April 2020)

Enterprise T1055 .012 Process Injection: Process Hollowing

Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.(Citation: SentinelLabs Agent Tesla Aug 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Agent Tesla has achieved persistence via scheduled tasks.(Citation: SentinelLabs Agent Tesla Aug 2020)

Enterprise T1218 .009 System Binary Proxy Execution: Regsvcs/Regasm

Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.(Citation: SentinelLabs Agent Tesla Aug 2020)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Agent Tesla has the ability to extract credentials from configuration or support files.(Citation: SentinelLabs Agent Tesla Aug 2020)

.002 Unsecured Credentials: Credentials in Registry

Agent Tesla has the ability to extract credentials from the Registry.(Citation: SentinelLabs Agent Tesla Aug 2020)

Enterprise T1204 .002 User Execution: Malicious File

Agent Tesla has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April 2020)

Groups That Use This Software
ID Name References
G0083 SilverTerrier

(Citation: Unit42 SilverTerrier 2018)

References

  1. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  2. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  3. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  4. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  5. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  6. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  7. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  8. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.