New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.
Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.
This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines.
It can also be used for stealing victims’ clipboard contents data, for collecting system information, and for killing anti-malware and software analysis processes.
No credentials are safe
After analyzing recently collected samples of the infostealer malware, Walter discovered dedicated code used for collecting both app configuration data and user credentials from multiple applications.
“The malware has the ability to extract credentials from the registry as well as related configuration or support files,” SentinelOne senior threat researcher Jim Walter explains.
Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook are just a small sample of all the apps targeted by the latest Agent Tesla RAT variants.
Once it harvests credentials and app config data, the infostealer will deliver it to its command-and-control (C2) server via FTP or STMP using credentials bundled within its internal configuration.
“Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts,” Walter also found.
Widely used infostealer
At the moment, Agent Tesla one of the most actively used malware in attacks targeting both businesses and home users as shown by a list of the top 10 malware strains analyzed on the interactive malware analysis platform Any.Run during the last week.
While far behind Emotet in the number of samples submitted for analysis on the platform, Agent Tesla takes second place in last week’s threats by the number of uploads.
Agent Tesla also ranked second in a ‘Top 10 most prevalent threats’ ranking published by Any.Run in December 2019, with more than 10,000 sample uploads submitted last year.
A rise of over 770% in the number of botnet C2s associated with this infostealer malware family was also observed between Q1 and Q2 of 2020 according to Spamhaus Malware Labs’ Botnet Threat Update Q2 2020 report [PDF].
Earlier this year, in April, Malwarebytes discovered that Agent Tesla was also updated with a module dedicated to stealing Wi-Fi passwords from infected devices.
Later that month, Bitdefender researchers reported that cybercriminals attacked entities from the gas and oil industry sectors in highly targeted spearphishing campaigns that infected the targets with Agent Tesla RAT payloads.