A new Agent Tesla variant is being distributed through sophisticated phishing campaigns. Here's what's new and what to detect.
A recent cybersecurity analysis sheds light on a sophisticated phishing campaign distributing a new variant of the notorious Agent Tesla malware. Agent Tesla is a long-running .NET-based information stealer and remote access trojan that continues to evolve faster than its age would suggest.
What's New in This Variant
- Multi-stage delivery using OLE objects, Equation Editor exploits (CVE-2017-11882 still works), and ISO/IMG attachments to bypass mark-of-the-web.
- Use of legitimate cloud services (Discord CDN, Telegram bots) for second-stage retrieval and exfiltration.
- Stealing credentials from browsers, email clients, FTP clients, and VPN configurations.
- Anti-analysis checks for sandboxes and analyst tooling.
What to Detect
- Office documents loading EQNEDT32.EXE (the Equation Editor).
- Mounted ISO/IMG files spawning executables.
- Outbound traffic to Discord CDN and Telegram Bot API from non-developer hosts.
- Process trees where Office or PDF readers spawn .NET binaries.
Agent Tesla campaigns target small and midsize businesses heavily because the operators rent the malware as a service and prioritize volume. Email gateway hardening, attachment sandboxing, and EDR detections for the patterns above are the most effective controls.
