Agent Tesla Trojan ‘Kneecaps’ Microsoft’s Anti-Malware Interface

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,005
Researchers have identified new versions of the Agent Tesla remote access trojan (RAT) that target the Windows anti-malware interface used by security vendors to protect PCs from attacks. The newly discovered variants have also adopted new obfuscation capabilities, raising the stakes for businesses to fend off the ever-evolving Agent Tesla malware.
Chief among the update is that the malware now targets Microsoft’s anti-malware software interface (ASMI) in order to avoid detection. ASMI allows applications and services to integrate with any antimalware product that’s present on a machine. The malware also now has the added capability of deploying a Tor client to conceal its communications, as well as using the Telegram chat application to exfiltrate data.
All of these changes make both sandbox and static analysis and endpoint detection of the malware more difficult, warned researchers.
“Agent Tesla remains a consistent threat—for many months, it has remained among the top families of malware in malicious attachments caught by Sophos,” said Sophos researchers on Tuesday. “Because of this sustained stream of Agent Tesla attacks, we believe that the malware will continue to be updated and modified by its developers to evade endpoint and email protection tools.”
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
The malware uses the variation of pretty old technique RastaMouse‘s AmsiScanBufferBypass. Most of these variations are detected by Defender. But, some clever code obfuscations can make the bypass working again. There are also more advanced bypasses based on finding dynamically the address of the AmsiScanBuffer function instead of using the GetProcAddress. Anyway, we can see here the never-ending story of attack and defense.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top