www.digitrustgroup.com
Open in
urlscan Pro
45.60.154.152
Public Scan
URL:
https://www.digitrustgroup.com/agent-tesla-keylogger/
Submission: On November 07 via api from US — Scanned from DE
Submission: On November 07 via api from US — Scanned from DE
Form analysis
1 forms found in the DOMPOST /agent-tesla-keylogger/
<form method="post" enctype="multipart/form-data" id="gform_25" action="/agent-tesla-keylogger/">
<div class="gform_body">
<ul id="gform_fields_25" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_25_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label gfield_label_before_complex">Full Name<span class="gfield_required">*</span></label>
<div class="ginput_complex ginput_container no_prefix has_first_name no_middle_name has_last_name no_suffix gf_name_has_2 ginput_container_name" id="input_25_1">
<span id="input_25_1_3_container" class="name_first">
<input type="text" name="input_1.3" id="input_25_1_3" value="" aria-label="First name" aria-required="true" aria-invalid="false">
<label for="input_25_1_3">First</label>
</span>
<span id="input_25_1_6_container" class="name_last">
<input type="text" name="input_1.6" id="input_25_1_6" value="" aria-label="Last name" aria-required="true" aria-invalid="false">
<label for="input_25_1_6">Last</label>
</span>
</div>
</li>
<li id="field_25_2" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_2">Email Address<span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_2" id="input_25_2" type="text" value="" class="large" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_25_3" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_3">Contact Number<span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_phone"><input name="input_3" id="input_25_3" type="text" value="" class="large" aria-required="true" aria-invalid="false"></div>
</li>
<li id="field_25_6" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_6">Company Name (Optional)</label>
<div class="ginput_container ginput_container_text"><input name="input_6" id="input_25_6" type="text" value="" class="large" aria-invalid="false"></div>
</li>
<li id="field_25_5" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_5">How Can DigiTrust Help You?</label>
<div class="ginput_container ginput_container_select"><select name="input_5" id="input_25_5" class="large gfield_select" aria-invalid="false">
<option value="Managed Vulnerability Assessment">Managed Vulnerability Assessment</option>
<option value="Managed Web Application Firewall">Managed Web Application Firewall</option>
<option value="Managed Host Intrusion Prevention (Endpoint Security)">Managed Host Intrusion Prevention (Endpoint Security)</option>
<option value="Managed Threat Intelligence & SIEM">Managed Threat Intelligence & SIEM</option>
<option value="Managed Mobile Security">Managed Mobile Security</option>
<option value="Penetration Testing">Penetration Testing</option>
<option value="Application Security">Application Security</option>
<option value="Adversary Hunting">Adversary Hunting</option>
<option value="Incident Response">Incident Response</option>
<option value="I Need Multiple Services">I Need Multiple Services</option>
</select></div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="image" src="https://www.digitrustgroup.com/wp-content/uploads/2016/06/Speak-with-IR-Button-1-e1466699425101.png" id="gform_submit_button_25" class="gform_button gform_image_button" alt="Submit"
onclick="if(window["gf_submitting_25"]){return false;} window["gf_submitting_25"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_25"]){return false;} window["gf_submitting_25"]=true; jQuery("#gform_25").trigger("submit",[true]); }">
<input type="hidden" class="gform_hidden" name="is_submit_25" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="25">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_25" value="WyJbXSIsIjJkNWYxYmYzYzNiYjgyMDY0ZjY0OGNlMmU4MGUyYTVmIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_25" id="gform_target_page_number_25" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_25" id="gform_source_page_number_25" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>
Text Content
* HOME * SERVICES * ABOUT * BLOG * CAREERS * CONTACT * HOME * SERVICES * ABOUT * BLOG * CAREERS * CONTACT THE RISE OF AGENT TESLA January 12th, 2017 In June of 2015, incident response experts at DigiTrust were alerted to a phishing email sent to one of our client organizations. The email contained a link to an order form which was downloaded and opened by an employee. The innocent looking document was not only weaponized with a malicious payload but also contained something new our experts had not seen before. The malicious payload was called Agent Tesla, a keylogger that could capture keystrokes and email them back to the threat actor. The further our incident response team investigated, the more apparent it became that Agent Tesla was much more than a standard Keylogger. Agent Tesla many features that have not been seen in keyloggers before. WHAT IS AGENT TESLA? Agent Tesla is a relatively new piece of malware used for tracking keystrokes on a victim's computer. The malware can be secretly used by adversaries to collect account information, usernames, passwords, and credit card numbers. Although keyloggers are not built to extract files or remotely provide access a system, any information typed into documents, browsers, or messaging apps can be recorded. Threat actors can take “snapshots” of keystrokes and see everything that has been typed, searched, or accessed. While Agent Tesla can perform standard keylogging functions, it also has features that set it apart from similar pieces of malware. ACCESS & SUPPORT Tesla has been growing in popularity for a variety of reasons including availability and price. Agent Tesla is readily available, and pricing varies depending on where the threat actor finds it online. From forums claiming to have free “cracked” versions to www.AgentTesla[.]com providing access ranging from $9-$30, Agent Tesla is not difficult to acquire. Threat actors downloading the keylogger directly from Agent Tesla’s website receive 24/7 support and software updates. Threat actors are provided with 24/7 support, updates, and a Skype contact for assistance. DELIVERY, ACCESS, AND GAINING ENTRY The delivery of Agent Tesla onto a victim’s computer is often accomplished through phishing, or sending emails with an infected attachment. Agent Tesla also has a feature that allows it to autorun from a USB stick. Currently, Agent Tesla can only be used on Windows operating systems (all versions) while use on other platforms such as Mac or Linux is not an option. MORE THAN JUST A KEYLOGGER Searching for Agent Tesla online returns pages of results providing access to or discussing Agent Tesla. When we begin to examine Agent Tesla's features, it becomes clear that this keylogger is more robust than most. The capabilities of Agent Tesla pushes the boundaries of what we typically see in keyloggers. BEYOND THE BASICS The list of features and options for Agent Tesla is extensive. For clarity and cohesiveness, we have outlined some of the core features and functions in this article. While keyloggers were once only known for capturing keystrokes, Agent Tesla has expanded its capabilities far beyond the standard. Click the tabs below to learn more * Downloader * Password recovery * Screen capture & Webcam * Multi-Language The ability to do more than just record keystrokes is beyond the standard functionality of most keyloggers. Agent Tesla has a "downloader" feature, allowing the adversary to download and run files on a victim's system. This feature alone shows that Agent Tesla could be used for more involved intrusions than a standard keylogger. The primary goal of recording keystrokes is to gain valuable information such as username and passwords. Agent Tesla has a password recovery tool used to steal passwords from all major browsers including Chrome, Firefox, Internet Explorer, Opera, and Yandex. Examining Agent Tesla’s settings show that it has a desktop and webcam capture feature in addition to the keylogger. These controls can be toggled on and off during the set up of Agent Tesla before being sent to a potential target. In short, Agent Tesla can capture snapshots of the victim's keystrokes, their desktop, and pictures from their webcam. DESKTOP, WEBCAM, CLIPBOARD Most keyloggers have multi-language support, usually supporting three to five languages. Agent Tesla claims to support all languages; an entire list is not provided, but if this is true, it only increases the pool of threat actors who will be using Agent Tesla. CUSTOMIZATION & CONTROL There are two main pieces to using Agent Tesla. The first is the interface allowing for customization of Agent Tesla's functions. If a threat actor wants to customize Agent Tesla before sending it to a potential target, this interface allows them this flexibility. From the visibility of the install to how the victim will interact with Agent Tesla is controlled from this interface. The second piece is the actual dashboard of Agent Tesla. The threat actor monitors the connected systems and controls Agent Tesla from this dashboard. The dashboard is a command center, and the adversary is at the controls. Let’s take a look at both the interface and the dashboard. THE INTERFACE Agent Tesla needs to be enabled (turned on) by the target themselves; this can require a level of obfuscation. Agent Tesla can create a false message to trick the target into providing access. The false message might read “Update Adobe Flash Player,” after the target clicks “ok” they have just told the computer to “install Agent Tesla.” COMPOSING FAKE MESSAGES The following shows how Agent Tesla can create a fake pop-up message to deceive a target. The threat actor can create a heading (#1), a message for the pop-up box (#2), and can even include a particular icon (#3). The result is a fake pop-up message used to trick the victim into installing Agent Tesla. THE RESULTING FALSE MESSAGE CREATED BY AGENT TESLA. THE COMMAND CENTER The dashboard is a single window with simple navigation tools providing the adversary a clear view of their connected “clients." All collected information such as keystroke logs (#1), time stamps (#2), and IP addresses (#3) can be found in the dashboard. The column on the left side of the dashboard allows for quick access to collected passwords, screenshots, and keystrokes (#4). STEALING KEYSTROKES Agent Tesla will keep logs of the victim's keystrokes and where those keystrokes occurred. If the victim opens Notepad, Outlook, or even Facebook, the blue text tells the adversary where these keystrokes were made. Standard black text with no formatting will indicate the actual written text of the victim, such as a username or password. The final indicator color is green; the green text shows the function keys that were used. THE DANGER OF AUTOMATION The ability to automate may be one of the most dangerous features of Agent Tesla. An adversary can automate the keylogger to take snapshots of keystrokes, the desktop, and webcam images at timed intervals. If the threat actor wanted to take a snapshot every 10 minutes, Agent Tesla could do just that. The adversary can view what was collected in the Agent Tesla logs (or via email) and keep the information they find most valuable. Although Agent Tesla is not completely hands off, any level of automation can make collecting information faster and simpler for adversaries. Automation, interface simplicity, and advanced features are just some of the reasons Agent Tesla’s use has expanded in 2015 and 2016. -------------------------------------------------------------------------------- WHAT TO DO? To protect against Agent Tesla, we need to be cautious in opening our email attachments or visiting unknown web links. However, if a keylogger was already inside the system, what would we do? How would we know? When we begin to ask these questions at the enterprise or organizational level, the answers can become much more involved. With malware like Agent Tesla having the ability to download and run additional malware, the possible damage extends beyond collecting keystrokes. Although there are several pieces of software claiming to be able to find keyloggers, these tools are not able to establish any situational context to understand how deep the intrusion may go. SECURITY AUTOMATION, THE HARD TRUTH Full automation in information security is not yet a reality, which is precisely why security software may only eliminate the symptom as opposed to alleviating the root of the problem. Automated security software cannot determine or evaluate the context behind an intrusion. Security experts need to build as much context as possible around incidents involving malware like Agent Tesla to effectively investigate, contain, and remediate. DIGITRUST SOLUTIONS By performing incident response, we can understand the complete who, what, when, where, and why of Agent Tesla within a victim's system. The ability to root-cause provides a better chance of a thorough recovery and better protection against such intrusions in the future. DigiTrust’s people, processes, and technology are dedicated to not just finding the needle in the haystack, but getting to the root of intrusions like Agent Tesla and eliminating it. -------------------------------------------------------------------------------- To learn more about DigiTrust’s managed security and consulting services you can contact us using the form below or call (310) 696-4500. * Full Name* First Last * Email Address* * Contact Number* * Company Name (Optional) * How Can DigiTrust Help You? Managed Vulnerability AssessmentManaged Web Application FirewallManaged Host Intrusion Prevention (Endpoint Security)Managed Threat Intelligence & SIEMManaged Mobile SecurityPenetration TestingApplication SecurityAdversary HuntingIncident ResponseI Need Multiple Services The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality. Upgrade your defense today. CONTACT US The DigiTrust Group® and Digital Trust™ are trademarks/service marks of The DigiTrust Group, LLC FEATURED CLIENTS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * PrevNext * HOME * SERVICES * ABOUT * BLOG * CAREERS * CONTACT THE DIGITRUST GROUP, LLC | 310.696.4500 © 2020 THE DIGITRUST GROUP®. ALL RIGHTS RESERVED.