A new variant of Agent Tesla, the information-stealing trojan, has been identified targeting commonly used applications, thus extending the scope of its attack to every common internet user.

The new avatar

The .NET-based password-stealing trojan is now capable of recording keystrokes and taking screenshots of compromised machines. This new variant adds several additional features.
  • It can collect both app configuration data and user credentials from multiple applications, including Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook, among others.
  • After stealing the credentials, the trojan uploads them to the command and control server via FTP or SMTP.
  • Besides stealing credentials, it can also steal victims’ clipboard contents, collect system information, and stop the installed anti-malware software.
  • The new variant also tries to deliver secondary executables to inject into boundaries present on the target machines.

Recent attacks

  • Agent Tesla has been observed being spread via several malware campaigns, including RATicate and AGGAH Malspam Campaign.
  • In April, spear-phishing campaigns were found dropping the Trojan, while impersonating a well-known Egyptian engineering contractor or a shipment company.

A widespread threat

Agent Tesla has been identified as one of the most actively used malware in attacks. It has also appeared several times in the list of the top 10 malware strains that were submitted to and analyzed by the interactive malware analysis platform Any.Run. In order to prevent such threats, it becomes important for organizations to keep all the applications and operating systems patched, and educate its employees to identify and dodge phishing scams that are an entry point for such threats.

Cyware Publisher