Agent Tesla Trojan ‘Kneecaps’ Microsoft’s Anti-Malware Interface


Level 84
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have identified new versions of the Agent Tesla remote access trojan (RAT) that target the Windows anti-malware interface used by security vendors to protect PCs from attacks. The newly discovered variants have also adopted new obfuscation capabilities, raising the stakes for businesses to fend off the ever-evolving Agent Tesla malware.
Chief among the update is that the malware now targets Microsoft’s anti-malware software interface (ASMI) in order to avoid detection. ASMI allows applications and services to integrate with any antimalware product that’s present on a machine. The malware also now has the added capability of deploying a Tor client to conceal its communications, as well as using the Telegram chat application to exfiltrate data.
All of these changes make both sandbox and static analysis and endpoint detection of the malware more difficult, warned researchers.
“Agent Tesla remains a consistent threat—for many months, it has remained among the top families of malware in malicious attachments caught by Sophos,” said Sophos researchers on Tuesday. “Because of this sustained stream of Agent Tesla attacks, we believe that the malware will continue to be updated and modified by its developers to evade endpoint and email protection tools.”

Andy Ful

Level 81
Top poster
Dec 23, 2014
The malware uses the variation of pretty old technique RastaMouse‘s AmsiScanBufferBypass. Most of these variations are detected by Defender. But, some clever code obfuscations can make the bypass working again. There are also more advanced bypasses based on finding dynamically the address of the AmsiScanBuffer function instead of using the GetProcAddress. Anyway, we can see here the never-ending story of attack and defense.
Last edited: