www.digitrustgroup.com Open in urlscan Pro
45.60.154.152  Public Scan

URL: https://www.digitrustgroup.com/agent-tesla-keylogger/
Submission: On November 07 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

POST /agent-tesla-keylogger/

<form method="post" enctype="multipart/form-data" id="gform_25" action="/agent-tesla-keylogger/">
  <div class="gform_body">
    <ul id="gform_fields_25" class="gform_fields top_label form_sublabel_below description_below">
      <li id="field_25_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label gfield_label_before_complex">Full Name<span class="gfield_required">*</span></label>
        <div class="ginput_complex ginput_container no_prefix has_first_name no_middle_name has_last_name no_suffix gf_name_has_2 ginput_container_name" id="input_25_1">
          <span id="input_25_1_3_container" class="name_first">
            <input type="text" name="input_1.3" id="input_25_1_3" value="" aria-label="First name" aria-required="true" aria-invalid="false">
            <label for="input_25_1_3">First</label>
          </span>
          <span id="input_25_1_6_container" class="name_last">
            <input type="text" name="input_1.6" id="input_25_1_6" value="" aria-label="Last name" aria-required="true" aria-invalid="false">
            <label for="input_25_1_6">Last</label>
          </span>
        </div>
      </li>
      <li id="field_25_2" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_2">Email Address<span class="gfield_required">*</span></label>
        <div class="ginput_container ginput_container_email">
          <input name="input_2" id="input_25_2" type="text" value="" class="large" aria-required="true" aria-invalid="false">
        </div>
      </li>
      <li id="field_25_3" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_3">Contact Number<span class="gfield_required">*</span></label>
        <div class="ginput_container ginput_container_phone"><input name="input_3" id="input_25_3" type="text" value="" class="large" aria-required="true" aria-invalid="false"></div>
      </li>
      <li id="field_25_6" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_6">Company Name (Optional)</label>
        <div class="ginput_container ginput_container_text"><input name="input_6" id="input_25_6" type="text" value="" class="large" aria-invalid="false"></div>
      </li>
      <li id="field_25_5" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_25_5">How Can DigiTrust Help You?</label>
        <div class="ginput_container ginput_container_select"><select name="input_5" id="input_25_5" class="large gfield_select" aria-invalid="false">
            <option value="Managed Vulnerability Assessment">Managed Vulnerability Assessment</option>
            <option value="Managed Web Application Firewall">Managed Web Application Firewall</option>
            <option value="Managed Host Intrusion Prevention (Endpoint Security)">Managed Host Intrusion Prevention (Endpoint Security)</option>
            <option value="Managed Threat Intelligence &amp; SIEM">Managed Threat Intelligence &amp; SIEM</option>
            <option value="Managed Mobile Security">Managed Mobile Security</option>
            <option value="Penetration Testing">Penetration Testing</option>
            <option value="Application Security">Application Security</option>
            <option value="Adversary Hunting">Adversary Hunting</option>
            <option value="Incident Response">Incident Response</option>
            <option value="I Need Multiple Services">I Need Multiple Services</option>
          </select></div>
      </li>
    </ul>
  </div>
  <div class="gform_footer top_label"> <input type="image" src="https://www.digitrustgroup.com/wp-content/uploads/2016/06/Speak-with-IR-Button-1-e1466699425101.png" id="gform_submit_button_25" class="gform_button gform_image_button" alt="Submit"
      onclick="if(window[&quot;gf_submitting_25&quot;]){return false;}  window[&quot;gf_submitting_25&quot;]=true;  "
      onkeypress="if( event.keyCode == 13 ){ if(window[&quot;gf_submitting_25&quot;]){return false;} window[&quot;gf_submitting_25&quot;]=true;  jQuery(&quot;#gform_25&quot;).trigger(&quot;submit&quot;,[true]); }">
    <input type="hidden" class="gform_hidden" name="is_submit_25" value="1">
    <input type="hidden" class="gform_hidden" name="gform_submit" value="25">
    <input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
    <input type="hidden" class="gform_hidden" name="state_25" value="WyJbXSIsIjJkNWYxYmYzYzNiYjgyMDY0ZjY0OGNlMmU4MGUyYTVmIl0=">
    <input type="hidden" class="gform_hidden" name="gform_target_page_number_25" id="gform_target_page_number_25" value="0">
    <input type="hidden" class="gform_hidden" name="gform_source_page_number_25" id="gform_source_page_number_25" value="1">
    <input type="hidden" name="gform_field_values" value="">
  </div>
</form>

Text Content

 * HOME
 * SERVICES
 * ABOUT
 * BLOG
 * CAREERS
 * CONTACT

 * HOME
 * SERVICES
 * ABOUT
 * BLOG
 * CAREERS
 * CONTACT


THE RISE OF AGENT TESLA

January 12th, 2017

In June of 2015, incident response experts at DigiTrust were alerted to a
phishing email sent to one of our client organizations. The email contained a
link to an order form which was downloaded and opened by an employee. The
innocent looking document was not only weaponized with a malicious payload but
also contained something new our experts had not seen before.

The malicious payload was called Agent Tesla, a keylogger that could capture
keystrokes and email them back to the threat actor. The further our incident
response team investigated, the more apparent it became that Agent Tesla was
much more than a standard Keylogger.



Agent Tesla many features that have not been seen in keyloggers before.

WHAT IS AGENT TESLA?

Agent Tesla is a relatively new piece of malware used for tracking keystrokes on
a victim's computer. The malware can be secretly used by adversaries to collect
account information, usernames, passwords, and credit card numbers. Although
keyloggers are not built to extract files or remotely provide access a system,
any information typed into documents, browsers, or messaging apps can be
recorded. Threat actors can take “snapshots” of keystrokes and see everything
that has been typed, searched, or accessed. While Agent Tesla can perform
standard keylogging functions, it also has features that set it apart from
similar pieces of malware.

ACCESS & SUPPORT

Tesla has been growing in popularity for a variety of reasons including
availability and price. Agent Tesla is readily available, and pricing varies
depending on where the threat actor finds it online. From forums claiming to
have free “cracked” versions to www.AgentTesla[.]com providing access ranging
from $9-$30, Agent Tesla is not difficult to acquire. Threat actors downloading
the keylogger directly from Agent Tesla’s website receive 24/7 support and
software updates.
 


Threat actors are provided with 24/7 support, updates, and a Skype contact for
assistance.

DELIVERY, ACCESS, AND GAINING ENTRY

The delivery of Agent Tesla onto a victim’s computer is often accomplished
through phishing, or sending emails with an infected attachment. Agent Tesla
also has a feature that allows it to autorun from a USB stick. Currently, Agent
Tesla can only be used on Windows operating systems (all versions) while use on
other platforms such as Mac or Linux is not an option.

MORE THAN JUST A KEYLOGGER

Searching for Agent Tesla online returns pages of results providing access to or
discussing Agent Tesla. When we begin to examine Agent Tesla's features, it
becomes clear that this keylogger is more robust than most. The capabilities of
Agent Tesla pushes the boundaries of what we typically see in keyloggers.

BEYOND THE BASICS

The list of features and options for Agent Tesla is extensive. For clarity and
cohesiveness, we have outlined some of the core features and functions in this
article. While keyloggers were once only known for capturing keystrokes, Agent
Tesla has expanded its capabilities far beyond the standard.





Click the tabs below to learn more

 * Downloader
 * Password recovery
 * Screen capture & Webcam
 * Multi-Language

The ability to do more than just record keystrokes is beyond the standard
functionality of most keyloggers. Agent Tesla has a "downloader" feature,
allowing the adversary to download and run files on a victim's system. This
feature alone shows that Agent Tesla could be used for more involved intrusions
than a standard keylogger.




The primary goal of recording keystrokes is to gain valuable information such as
username and passwords.  Agent Tesla has a password recovery tool used to steal
passwords from all major browsers including Chrome, Firefox, Internet Explorer,
Opera, and Yandex.



Examining Agent Tesla’s settings show that it has a desktop and webcam capture
feature in addition to the keylogger. These controls can be toggled on and off
during the set up of Agent Tesla before being sent to a potential target.

In short, Agent Tesla can capture snapshots of the victim's keystrokes, their
desktop, and pictures from their webcam.


DESKTOP, WEBCAM, CLIPBOARD



Most keyloggers have multi-language support, usually supporting three to five
languages. Agent Tesla claims to support all languages; an entire list is not
provided, but if this is true, it only increases the pool of threat actors who
will be using Agent Tesla.





CUSTOMIZATION & CONTROL

There are two main pieces to using Agent Tesla. The first is the interface
allowing for customization of Agent Tesla's functions.
If a threat actor wants to customize Agent Tesla before sending it to a
potential target, this interface allows them this flexibility. From the
visibility of the install to how the victim will interact with Agent Tesla is
controlled from this interface.

The second piece is the actual dashboard of Agent Tesla. The threat actor
monitors the connected systems and controls Agent Tesla from this dashboard. The
dashboard is a command center, and the adversary is at the controls. Let’s take
a look at both the interface and the dashboard.



THE INTERFACE

Agent Tesla needs to be enabled (turned on) by the target themselves; this can
require a level of obfuscation. Agent Tesla can create a false message to trick
the target into providing access. The false message might read “Update Adobe
Flash Player,” after the target clicks “ok” they have just told the computer to
“install Agent Tesla.”




COMPOSING FAKE MESSAGES

The following shows how Agent Tesla can create a fake pop-up message to deceive
a target. The threat actor can create a heading (#1), a message for the pop-up
box (#2), and can even include a particular icon (#3). The result is a fake
pop-up message used to trick the victim into installing Agent Tesla.



THE RESULTING FALSE MESSAGE CREATED BY AGENT TESLA.




THE COMMAND CENTER

The dashboard is a single window with simple navigation tools providing the
adversary a clear view of their connected “clients."
All collected information such as keystroke logs (#1), time stamps (#2), and IP
addresses (#3) can be found in the dashboard. The column on the left side of the
dashboard allows for quick access to collected passwords, screenshots, and
keystrokes (#4).




STEALING KEYSTROKES

Agent Tesla will keep logs of the victim's keystrokes and where those keystrokes
occurred.

If the victim opens Notepad, Outlook, or even Facebook, the blue text tells the
adversary where these keystrokes were made. Standard black text with no
formatting will indicate the actual written text of the victim, such as a
username or password. The final indicator color is green; the green text shows
the function keys that were used.



THE DANGER OF AUTOMATION

The ability to automate may be one of the most dangerous features of Agent
Tesla. An adversary can automate the keylogger to take snapshots of keystrokes,
the desktop, and webcam images at timed intervals. If the threat actor wanted to
take a snapshot every 10 minutes, Agent Tesla could do just that. The adversary
can view what was collected in the Agent Tesla logs (or via email) and keep the
information they find most valuable.


Although Agent Tesla is not completely hands off, any level of automation can
make collecting information faster and simpler for adversaries. Automation,
interface simplicity, and advanced features are just some of the reasons Agent
Tesla’s use has expanded in 2015 and 2016.



--------------------------------------------------------------------------------

WHAT TO DO?


To protect against Agent Tesla, we need to be cautious in opening our email
attachments or visiting unknown web links. However, if a keylogger was already
inside the system, what would we do? How would we know? When we begin to ask
these questions at the enterprise or organizational level, the answers can
become much more involved. With malware like Agent Tesla having the ability to
download and run additional malware, the possible damage extends beyond
collecting keystrokes. Although there are several pieces of software claiming to
be able to find keyloggers, these tools are not able to establish any
situational context to understand how deep the intrusion may go.


SECURITY AUTOMATION, THE HARD TRUTH

Full automation in information security is not yet a reality, which is precisely
why security software may only eliminate the symptom as opposed to alleviating
the root of the problem. Automated security software cannot determine or
evaluate the context behind an intrusion. Security experts need to build as much
context as possible around incidents involving malware like Agent Tesla to
effectively investigate, contain, and remediate.


DIGITRUST SOLUTIONS

By performing incident response, we can understand the complete who, what, when,
where, and why of Agent Tesla within a victim's system. The ability to
root-cause provides a better chance of a thorough recovery and better protection
against such intrusions in the future. DigiTrust’s people, processes, and
technology are dedicated to not just finding the needle in the haystack, but
getting to the root of intrusions like Agent Tesla and eliminating it.



--------------------------------------------------------------------------------

To learn more about DigiTrust’s managed security and consulting services you can
contact us using the form below or call (310) 696-4500.

 * Full Name*
   First Last
 * Email Address*
   
 * Contact Number*
   
 * Company Name (Optional)
   
 * How Can DigiTrust Help You?
   Managed Vulnerability AssessmentManaged Web Application FirewallManaged Host
   Intrusion Prevention (Endpoint Security)Managed Threat Intelligence &
   SIEMManaged Mobile SecurityPenetration TestingApplication SecurityAdversary
   HuntingIncident ResponseI Need Multiple Services





The DigiTrust Group is a managed security services firm that focuses on using
advanced people, processes, and technology to proactively provide the highest
level of information security at our client organizations. We do this by
actively identifying, blocking, and researching attackers hitting our client
organizations. In short, we act as a security operations center (SOC) for
organizations that either do not have a SOC or require augmented SOC
functionality.


Upgrade your defense today.
CONTACT US

The DigiTrust Group® and Digital Trust™ are trademarks/service marks of The
DigiTrust Group, LLC

FEATURED CLIENTS

 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 

PrevNext
 * HOME
 * SERVICES
 * ABOUT
 * BLOG
 * CAREERS
 * CONTACT

THE DIGITRUST GROUP, LLC | 310.696.4500

 

© 2020 THE DIGITRUST GROUP®. ALL RIGHTS RESERVED.