Security researchers have just discovered new variants of the Agent Tesla malware that now includes modules capable of stealing credentials from many well known apps including web browsers, VPN software and FTP and email clients.
Once discovered back in 2014, Agent Tesla is a well known keylogger and information-stealing trojan that has grown in popularity among many cybercriminals over the past few years. Just like Instagram username thieves, the founders of the trojan used to sell it on cybercriminal marketplaces and providing the customers with the malware and its management panel to allow them to easily sort the data it gathers.
The malware is capable of breaching heavily protected systems by infecting them and steal sensitive data and also destroy anti-malware and software analysis processes making it almost impossible to track.
Meanwhile,a senior trojan threat researcher at SentinelOne, Jim Walter discovered dedicated code used to collect app configuration data and user credentials after analysing new samples of the Agent Tesla malware. Walter then provided further detailed insight on the capabilities of the new modules claiming that the malware can also extract credentials from registries.
“Currently, Agent Tesla continues to be utilised in various stages of attacks. Its capability to persistently manage and manipulate victims’ devices is still attractive to low-level criminals. Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and email clients, and web browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files.” Jim Walter explains.
Based on SentinelOne’s latest analysis of the new Agent Tesla variants, it has been revealed that the malware can now steal user credentials from some of the most popular and well developed applications including Google Chrome, Chromium, Safari, Mozilla Firefox, Microsoft Edge, Opera, Microsoft Outlook, Mozilla Thunderbird, OpenVPN and more.
Once the malware harvests the credentials and app configurations data from a targeted program, it then delivers this information to its command-and-control (C2) server via FTP or STMP by using credentials included in its internal configuration.
Walter also found out in his research that “current variants of Agent Tesla will often drop or retrieve secondary executables which are then injected into known and vulnerable binaries on a targeted host.”
So far Agent Tesla is one of the most actively used data-stealing trojan in attacks against enterprises and any internet user. The new modules that have been introduced into the malware have just made it even more effective in stealing most sensitive data in malware history.