Agent Tesla malware has received an update. The information stealer and keylogger can now steal passwords from browsers, VPN clients, FTP and email clients.
Agent Tesla is a .Net-based remote access Trojan (RAT) that first appeared in 2014. The malware is offered for sale on hacking forums and darknet marketplaces and has proven to be a popular choice with low-level hackers and BEC scammers. The malware can be used in various stages of attacks and has a PHP management panel that allows users to easily sort through the data the malware collects. Agent Tesla is primarily distributed via phishing emails, either through attachments or malicious hyperlinks.
The malware can log keystrokes, copy information from the clipboard, take screenshots, collect system information, and terminate antivirus and antimalware processes to remain undetected on systems. The malware is easily configurable and can sent data to its C2 via SMTP or FTP and achieves persistence with a registry key entry or through scheduled tasks.
New versions of the RAT have been identified by security researchers over the past few days that have had new modules added that allow data to be stolen from web browsers and FTP, VPN and email clients. One of the new Agent Tesla variants was analyzed by SentinelOne senior threat researcher, Jim Walter, who reports in a recent blog post that “The malware has the ability to extract credentials from the registry as well as related configuration or support files. Agent Tesla can also drop secondary executables and inject them into vulnerable binaries on a targeted host.”
While TrickBot may have attracted more attention in the media in recent weeks, Agent Tesla has been used in more attacks in 2020 than TrickBot and ranked second in Any.Run’s list of the top 10 threats based on the number of uploaded samples behind Emotet. The competitive pricing –$12 for a month and $35 for 6 months – coupled with its ease of use and wide range of capabilities are likely to see Agent Tesla continue to be the malware of choice for many hackers for some time to come.