Upgraded Agent Tesla malware steals passwords from browsers, VPNs

Posted by & filed under Ειδοποιήσεις.

New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.

Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.

This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines.

It can also be used for stealing victims’ clipboard contents data, for collecting system information, and for killing anti-malware and software analysis processes.

No credentials are safe

After analyzing recently collected samples of the infostealer malware, Walter discovered dedicated code used for collecting both app configuration data and user credentials from multiple applications.

“The malware has the ability to extract credentials from the registry as well as related configuration or support files,” SentinelOne senior threat researcher Jim Walter explains.

Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook are just a small sample of all the apps targeted by the latest Agent Tesla RAT variants.

Once it harvests credentials and app config data, the infostealer will deliver it to its command-and-control (C2) server via FTP or STMP using credentials bundled within its internal configuration.

“Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts,” Walter also found.

Widely used infostealer

At the moment, Agent Tesla one of the most actively used malware in attacks targeting both businesses and home users as shown by a list of the top 10 malware strains analyzed on the interactive malware analysis platform Any.Run during the last week.

While far behind Emotet in the number of samples submitted for analysis on the platform, Agent Tesla takes second place in last week’s threats by the number of uploads.

Agent Tesla also ranked second in a ‘Top 10 most prevalent threats’ ranking published by Any.Run in December 2019, with more than 10,000 sample uploads submitted last year.

A rise of over 770% in the number of botnet C2s associated with this infostealer malware family was also observed between Q1 and Q2 of 2020 according to Spamhaus Malware Labs’ Botnet Threat Update Q2 2020 report [PDF].

Earlier this year, in April, Malwarebytes discovered that Agent Tesla was also updated with a module dedicated to stealing Wi-Fi passwords from infected devices.

Later that month, Bitdefender researchers reported that cybercriminals attacked entities from the gas and oil industry sectors in highly targeted spearphishing campaigns that infected the targets with Agent Tesla RAT payloads.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.