Malware analysis

Agent Tesla: What it is, how it works and why it’s targeting energy companies

Daniel Dimov
July 2, 2020 by
Daniel Dimov

Introduction to Agent Tesla

Agent Tesla appeared for the first time in 2014, but it has been just recently used for attacks on energy companies operating in various fields. These fields include charcoal processing, manufacturing of raw materials, oil and gas and hydraulic plants. 

Such attacks are based on spearphishing messages impersonating reputable companies such as Engineering for Petroleum and Process Industries (Enppi) and Glory Shipping Marine Co. Ltd. The targeted companies are located in the United States, South Africa, Malaysia, Philippines, Iran, Oman and Turkey.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

To conduct some of the attacks, the attackers sent to the targeted companies emails purporting to come from Enppi. The emails invited the potential victims to submit a bid for equipment and materials in accordance with the Rosetta Sharing Facilities Project. Since this is a genuine project that is actually linked to Enppi, we can conclude that the attackers conducted some research before initiating their phishing campaigns.

The spearphishing email used to attack energy companies is entitled “REQUEST FOR QUOTATION FOR ENPPI DEVELOPMENT PROJECT NO 4621-422-298-01-20.” It specifies the deadline for submitting bids and includes a .zip file that is supposed to contain a list of requested equipment and materials. Once opened, the file actually drops Agent Tesla.

The purpose of this article is to examine the main characteristics of Agent Tesla, its operation and the reasons it targets energy companies. 

The main characteristics of Agent Tesla

Agent Tesla has two main characteristics: it is written in Microsoft’s .NET language and it is a commercial malware. A brief overview of these two characteristics follows. 

.NET language

Donut was one of the first malware applications utilizing .NET language for malicious purposes. It is a relatively simple malware application and has never caused serious information security problems. However, Donut was used by various fraudsters as a foundation for developing other malware. 

Sharpei was the next big step in the development of .NET malware. To determine whether the .NET platform is installed on the targeted computer, it first checks whether the file mscoree.dll is stored in the system folder. If the file is found, Sharpei creates and executes the viral component (the file cs.exe). 

Agent Tesla is a logical continuation of the rapid development in the field of .NET malware. Relying on the comprehensive library of built-in functions included in the .NET framework and the accompanying software development environment supporting various programming languages, the creators of Agent Tesla succeeded in creating one of the malware applications with the highest global impact. According to CheckPoint Research, Agent Tesla has impacted 3% of the organizations worldwide. 

Commercial malware

A license to use Agent Tesla can be purchased on the website of its creators. It is sold on a monthly or yearly basis. The malware creators claim that Agent Tesla should not be used for malicious purposes and the licenses of users of Agent Tesla who use it for such purposes will be terminated. Such claims are likely to be false, as the malware creators provide 24/7 chat support which includes instructions on how to avoid anti-malware software and how to deploy Agent Tesla inside various file types.

The operation of Agent Tesla

Agent Tesla usually spreads through phishing. However, the malware has a function which allows it to run automatically from a USB stick. At present, Agent Tesla is able to operate exclusively on Windows machines. This may change in the future, as the demand for Agent Tesla is constantly rising.

Once installed on the infected computer, Agent Tesla is able to act as a keylogger, a downloader, a password-stealing malware and a screen-capturing malware. Keyloggers are software applications that are able to record the keys struck on a computer keyboard. Thus, Agent Tesla has the potential to record all data (including usernames and passwords) inserted by a victim in the infected computer. 

As a downloader, Agent Tesla allows fraudsters to download and execute files on the infected computers. 

The password recovery functionality of Agent Tesla allows the malware to collect passwords from most major browsers, including Internet Explorer, Chrome, Firefox and Opera. Agent Tesla is also able to take screenshots of the desktops of the infected computers and even take photos through their web cameras.

Agent Tesla is sold with a special interface allowing its users to customize it before sending it to potential victims. Besides, the malware package includes a dashboard which can be used to monitor the infected computers and perform various operations on them. 

Why does Agent Tesla target energy companies?

Agent Tesla’s growing use in the energy sector is a new phenomenon. One of the reasons for the focus on the energy sector is the lowered oil demand as a result of the global COVID-19 pandemic. At the peak of the crisis, the price of oil sank to levels not seen since 2002. In addition to the decreased demand for oil, the drop in prices was caused by the conflict between Russia and Saudi Arabia.

The oil price fluctuations grabbed the attention of news outlets, policy makers and malware creators. The campaign against energy companies started in October 2019 and peaked in February 2020, where more than 5,000 cyber-attacks on energy companies were detected. In comparison, the number of such attacks in March 2019 was about 2,500 and, in May 2019, fewer than 2,000.


This article discussed the recent use of Agent Tesla for the purpose of conducting cyber-attacks on energy companies. More specifically, we examined the two main characteristics of the malware: its .NET base and its commercial nature. 

Regarding the first characteristic, Agent Tesla clearly indicates the potential which the .NET framework has for developing malware. Similarly to nuclear energy, it is a double-edged sword that can be used both for peaceful and aggressive purposes. As for the second characteristic, Agent Tesla is a part of the growing trend of using malware-as-a-service, i.e., the lease of ready-made malware for conducting cyberattacks.

After discussing the characteristics of Agent Tesla, we provided an overview of its operation and functionalities. Our analysis revealed that the malware has the capacity to collect all types of information from the infected computers (including input data, desktop screenshots, and web camera images). 

Taking into account its functionalities, it is not a surprise that Agent Tesla was used in the recent attacks against energy companies. After hearing the news about the price fluctuations of those companies, many fraudsters likely realized that such companies can be a perfect target of Agent Tesla-based cyberattacks. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. Attackers Target Oil and Gas Industry With AgentTesla, Bank Info Security
  2. Coronavirus: Oil price collapses to lowest level for 18 years, BBC News
  3. April 2020’s Most Wanted Malware: Agent Tesla Remote Access Trojan Spreading Widely In COVID-19 Related Spam Campaigns, Check Point Software Technologies Ltd.
  4. Donut, F-Secure
  5. Sharpei, F-Secure
  6. Nyotron’s PARANOID Discovers and Blocks a New “Agent Tesla” Variant, Cybersecurity Insiders
  7. Who Is Agent Tesla?, Krebs on Security
  8. Oil and Gas Firms Targeted With Agent Tesla Spyware, Threatpost
  9. The rise of .NET and Powershell malware, Kaspersky
  10. New Agent Tesla Variant Spreading by Phishing, Fortinet
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.