Agent Tesla and Taskun Malware Targeting US Education and Govt Entities


Researchers at Veriti recently uncovered a concerning trend: a surge in cyberattacks targeting sensitive data within the US education and government sectors. This campaign is sophisticated, employing a combination of two notorious malware strains: Agent Tesla and Taskun.

Agent Tesla is renowned for its spyware capabilities, designed to stealthily steal a user’s most valuable data by capturing keystrokes, screenshots, and login credentials for various applications like browsers and VPNs. Meanwhile, Taskun acts as the perfect accomplice by compromising system integrity, creating a backdoor for Agent Tesla to infiltrate and establish persistence. This collaboration allows Agent Tesla to remain undetected for extended periods, maximizing data theft opportunities. The attackers’ strategy centers around performing reconnaissance to identify vulnerabilities within the targeted systems. This approach often exploits weaknesses in commonly used office applications and operating systems. By targeting these widespread vulnerabilities, the attackers can maximize the impact of their attack, potentially compromising a vast number of devices within an organization.

The attack is typically initiated through malicious email attachments that exploit vulnerabilities in Windows OS software, particularly targeting widely used applications like Microsoft Office. This tactic leverages common vulnerabilities to maximize the impact of the attack, potentially compromising a vast number of devices within targeted organizations.

Security Officer Comments:
The choice of targeting the education and government sectors is strategic. These sectors house a treasure trove of sensitive data, including student records, research findings, social security numbers, and other confidential information. Moreover, educational institutions have been frequent targets due to vulnerabilities like the MOVEit vulnerability, which has been exploited in attacks on over 900 schools in the US. A successful attack using Agent Tesla and Taskun could lead to a significant data breach, resulting in immense financial loss, reputational damage, and even identity theft for affected individuals.

Suggested Corrections:


Researchers at Verdi recommend the following to defend against Agent Tesla:

Targeted Patch Management and Environment Hardening:

  • Ensure that all systems running the affected software are updated to the latest versions that have patched these vulnerabilities. Alternately identify the relevant compensating controls and technologies and involve them to proactively harden the defenses without waiting for maintenance windows.

Automated Rule Deployment Across Security Controls:

  • Implement or enhance detection capabilities to monitor for signs of the IOCs related to Agent Tesla and Taskun. Utilize automated rule deployment across security tools, like SNORT and YARA, to detect and block attack attempts.

Endpoint and Network Protection:

  • Strengthen endpoint defenses to thwart credential harvesting and MITM attacks. This includes disabling legacy protocols like WDigest and securing authentication mechanisms.

Command and Control Exfiltration:

  • To effectively disrupt the communication channels used by Agent Tesla and Taskun, organizations need to ensure comprehensive deployment of IoCs and IoAs across all security layers. The following is a list of IoCs associated with this campaign. It should be distributed and continuously updated across the security infrastructure: