Sebastian85
Registered
Agent Tesla is a versatile spyware Trojan designed to steal sensitive information, including keystrokes, credentials, and screenshots, from infected systems. The Agent Tesla Builder is a user-friendly control panel that allows attackers to configure and generate malicious payloads tailored to their needs. Sold on the dark web and previously through a now-defunct official website (agenttesla[.]com), the builder is accessible for as little as $15–$182 per month, depending on the feature set. Its affordability, 24/7 customer support, and extensive automation make it popular among cybercriminals, with over 6,300 customers reported in 2018.
Key Features of the Agent Tesla Builder
- Screenshots: Takes periodic or event-triggered screenshots of the victim’s screen to capture sensitive activities.
- Webcam Capture: Remotely activates the victim’s webcam to record videos or snapshots at set intervals.
- Automation: Post-2015 updates added automation for capturing snapshots or activating webcams without manual intervention.
- Delivery Methods: Primarily spread via spear-phishing emails with malicious attachments (e.g., Office documents with VBS macros, ZIP/GZIP archives, or LNK files).
- Exploits: Leverages vulnerabilities like CVE-2017-11882 (Microsoft Equation Editor) or CVE-2018-0802 to execute payloads.
- Process Injection: Uses trusted Windows utilities like RegAsm.exe or RegSvcs.exe for process injection, enabling covert execution.
- UAC Bypass: Employs techniques like CMSTP (Microsoft Connection Manager Profile Installer) to execute payloads with administrative privileges and bypass User Account Control.