Six-your-old malware updated again: new Agent Tesla variant can now steal logins and passwords from web browsers and VPN clients
Agent Tesla is a relatively old Remote Access Trojan (RAT) that resurfaced at the start of 2020 – threat actors began to actively update its code with new capabilities and functions. Security researchers at Sentinel One now observed a new variant of malware that is has been mostly used to attack businesses and organizations.
The prevalence of the Trojan, especially since the COVID-19 pandemic began, has increased exponentially – Agent Tesla is now more rampant than other data-stealing malware strains of the similar functionality, such as Emotet o TrickBot (nonetheless, researchers specified that Dridex attacks are the most dominant). The new variants that emerged at the start of the global health crisis were also widely observed being delivered via phishing email attacks.
While initially Agent Tesla was primarily used as a keylogger, this .Net-based Trojan has now been equipped with new modules, and this time, it is capable of stealing personal login account data from all the commonly-used browsers, as well as VPN, email, and FTP clients. Besides the new functions, Agent Tesla can also gather system information, disable anti-malware software, copy clipboard data, gather system information, and more.
Agent Tesla's commercial availability ensures large infection rates
Agent Tesla has been around for several years and has been offered for anyone willing to rent it. Malware authors were using its own website Agenttesla[.]com (not obsolete), as well as multiple underground marketplaces and forums for distribution. The so-called packages, similar to those used by legitimate software developers, allowed the access administration and data collection panels.
As noted by security researchers, the Trojan was quickly equipped with modern RAT functionality, including multi-language support, automatic activation upon payment, multiple operating system support, and much more. Prices were also relatively low:
At the time, pricing was quite competitive with a 1 month license selling for $12.00 USD all the way up to 6 month licenses going for $35.00.
New version of Agent Tesla RAT steals credentials from more than 70 clients and apps
Agent Tesla, just like many other malware of such type, is mainly distributed via targeted phishing emails. The recent variants are mostly using emails that present themselves as information leaflets distributed by the World Health Organization (WHO), United Nations (UN), or similar authority agencies.
Most of the phishing emails are appended with a boobytrapped attachment, which, once opened abuses common MS Office vulnerabilities, such as CVE-2017-11882 and CVE-2017-8570, to proceed with the second stage infection routine.
Once broken in, Agent Tesla RAT is capable of stealing login credentials and other data from more than 70 different applications and clients, including MS Outlook, Google Chrome, Opera, Safari, MS Edge, CFTP, SmartFTP, Yandex, OpenVPN, Thunderbird, and many more. The harvested data is then sent via the FTP or STMP to cybercriminals' Command & Control servers. Experts from Sentinel One also found that malware is also capable of retrieving other malicious executables, which menas that other malware can be delivered in the process.
Especially concerning is that a VPN is one of the mostly wide-spread privacy and security tool used by regular consumers and corporations. By stealing credentials of a VPN which is used to, for example, work from home during the COVID-19 pandemic, cybercriminals might bypass the extra defenses provided by the software.
To ensure that Agent Tesla or any other keylogger would not successfully exploit regular users and enterprises by stealing credentials of popular clients