Agent Tesla includes new password-stealing capabilities from browsers and VPNs

Experts found new variants of Agent Tesla Trojan that include modules to steal credentials from popular web browsers, VPN software, as well as FTP and email clients.

Researchers from SentinelOne discovered new variants of the popular Agent Tesla Trojan that includes new modules to steal credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.

Agent Tesla is a spyware that is used to spy on the victims by collecting keystrokes, system clipboard, screenshots, and credentials from the infected system. To do this, the spyware creates different threads and timer functions in the main function.

The experts first discovered the malware in June 2018, but it has been available since 2014, when they observed threat actors spreading it via a Microsoft Word document containing an auto-executable malicious VBA Macro.

Once the users have enables the macro, the spyware will be installed on the victim’s machine

Agent Tesla is often involved in business email compromise (BEC) attacks and to steal data from victims’ systems and collect info on their systems.

Recent samples of the malware include specific code to collect app configuration data and credentials from several apps.

“Currently, Agent Tesla continues to be utilized in various stages of attacks. Its capability to persistently manage and manipulate victims’ devices is still attractive to low-level criminals.” reads the analysis published by SentinelOne. “Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and Email clients, and Web Browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files.”

The new variants are able to target popular applications, including Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook.

Then the info-stealing Trojan attempt to send data back to the command-and-control (C2) server via FTP or STMP, experts noticed that the credentials are hardcoded within its internal configuration.

Recent variants will often drop secondary executables to inject into, or they will attempt to inject into known binaries already present on targeted hosts.

Experts reported that the malware frequently used the ‘Process Hollowing’ injection technique, which allows for the creation or manipulation of processes through which sections of memory are unmapped (hollowed). These areas of memory are then reallocated with the desired malicious code.

Upon executing the malware will gather local system information, install the keylogger module, as well as initializing routines for discovering and harvesting data.

Recent samples implement the ability to discover wireless network settings and credentials, then remain in sleeping mode for a short period of time before spawning an instance of netsh.exe:

Netsh.exe wlan show profile

They usually achieve persistence via registry key entry or scheduled task.

“Agent Tesla has been around for several years now, and yet we still see it utilized as a commodity in many low-to-mildly sophisticated attacks. Attackers are continually evolving and finding new ways to use tools like Agent Tesla successfully while evading detection. At the end of the day, if the goal is to harvest and steal data, attackers will go with what works; thus, we still see ‘commodity’ tools like Agent Tesla, as well as Pony, Loki and other low-hanging fruit malware being used.” concludes the report that also includes indicators of compromise (IoCs). “When combined with timely social engineering lures, these non-sophisticated attacks continue to be successful.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Agent Tesla)

[adrotate banner=”5″]

[adrotate banner=”13″]