Agent Tesla continues to be a dominant threat in the cyber landscape, due to its adaptability, simplicity of deployment by low-skill actors, and ability to steal sensitive data such as credentials and cookies. Operating under a “Malware-as-a-Service” (MaaS) model, it is widely abused in phishing-led campaigns targeting Windows environments.
The campaign covered in this analysis showcases a multi-stage attack chain designed to remain invisible and difficult for defenders to detect. The stages highlight a progression from social engineering to advanced in-memory execution and stealth techniques.
Multi-Stage Infection Chain Overview
The observed attack chain consists of the following stages:
Email → RAR attachment → Obfuscated JSE downloader → Secondary PowerShell script → In-memory execution → .NET loader → Final Agent Tesla payload (all in memory).
Each stage plays a specific role in maintaining stealth, evasion, and persistence.
Stage 1: Initial Hook — Phishing With Obfuscated Downloader
The attack begins with a phishing email, commonly themed around business communication to lure the victim into opening the attached archive. A typical example observed uses the subject "New purchase order PO0172".
- Attachment: A compressed
.RARfile (PO0172.rar) is attached to the email. - Obfuscated Dropper: Within the RAR is an obfuscated JScript Encoded (.jse) file (
PO0172.jse). This script acts as the first downloader stage and is intentionally obfuscated to evade simple email filtering mechanisms.
Using a .jse downloader instead of traditional .exe or .bat files helps bypass signature-based filtering that most email security tools rely on.
Stage 2: Script-Based Evasion and Encrypted Payload Retrieval
When executed, the initial JSE script begins the next stage of the attack:
- External Fetch: The script reaches out to a known file-hosting site (
catbox[.]moe) to download a second, encrypted PowerShell (.ps1) script. - In-Memory Decryption: To avoid leaving artifacts on disk, the downloaded PowerShell script includes a custom AES-CBC with PKCS7 decryption routine (
Invoke-AESDecryption) that decrypts the next stage script directly into memory.
By performing decryption entirely in memory, the malware avoids disk-based detection and logging, making forensic tracing significantly harder.
Stage 3: In-Memory Execution via Process Hollowing
The PowerShell loader then employs a stealthy process hollowing technique:
- Launching a Legitimate Process: A trusted Windows utility —
Aspnet_compiler.exe— is started in a suspended state. - Hollowing Out: The legitimate process’s memory is hollowed out and replaced with malicious code extracted from two Base64-encoded .NET assemblies.
- Reflective Loading: The embedded .NET loader and final payload are injected and run inside the context of this trusted process.
Process hollowing allows the malware to run under the funnel of a legitimate OS process, reducing detection by basic endpoint security and signature tools. This form of reflective, in-memory execution effectively makes the malicious code invisible to static scanners.
Stage 4: Anti-Analysis and Environment Checks
Before initiating its core data-stealing functionality, the malware performs several environmental checks:
- Virtual Machine Detection: Queries WMI to identify VM environments such as VMware, VirtualBox, or Hyper-V.
- Security Software Artifacts: Scans for DLLs associated with sandboxing and antivirus products (e.g., Avast, Sandboxie, Comodo components).
- Evasion Triggers: If virtualization or security tooling is detected, the malware may halt execution to avoid analysis.
This stage reflects a mature anti-analysis posture, designed to prevent dynamic analysis inside researcher VMs or sandbox environments, further complicating defensive research efforts.
Stage 5: Credential Harvesting and Exfiltration
Once running unmonitored, the payload executes its primary malicious objectives:
- Credential and Cookie Harvesting: Extracts browser cookies (including domain, security flags, and expiration data) and other credentials.
- Data Collection: Aggregates diverse sensitive data types (e.g., contacts) and writes them to
.txtfiles. - Exfiltration: Sends stolen data via SMTP to an attacker-controlled mail server (
mail[.]taikei-rmc-co[.]biz).
SMTP exfiltration can blend with legitimate mail traffic, further masking malicious communications from network-based anomaly detection.
Technical Takeaways
This campaign highlights several advanced implementation techniques that enhance stealth and evade detection:
- Use of multiple scripting layers (JSE downloader → PowerShell → in-memory loader).
- Encrypted payloads decrypted in memory to reduce disk footprint.
- Process hollowing away from disk, hiding malicious code in trusted processes.
- Anti-analysis checks to avoid execution in analyst environments.
Each stage builds on the previous to deliver a fully-functional and stealthy Agent Tesla payload with minimal on-disk artefacts and maximum resistance to detection.
Defensive Insights
Fortinet outlines several controls and protections that can help defend against similar campaigns:
- Phishing Prevention: Emails containing malicious attachments are detected and blocked by mail gateways (e.g., FortiMail) and sandboxing.
- Content Disarm & Reconstruction (CDR): Strips active code from attachments to neutralize executables and scripts.
- Endpoint Detection and Response (EDR): Detects in-memory and process hollowing attacks.
- Real-Time Reputation Services: Block malicious hosting infrastructure before secondary stages download.
These layered defenses increase the chances of blocking the attack before payload execution.
Concluding Summary
Agent Tesla remains a versatile and persistent threat because of its combination of efficient phishing delivery methods, in-memory staging, and anti-analysis capabilities that together create a stealthy and resilient infection pipeline. Its design allows relatively unsophisticated actors to launch significant data theft campaigns that rival advanced persistent threats in complexity.
