Malware never gets old; the older the malware their iterations are even more tricky. Recently, Agent Tesla keylogger malware has got a slight modification and expansion in its tactics, targets, and data exfiltration features, according to Cofense researchers.
Agent Tesla’s expansion
The newer variant of the Agent Tesla malware enables an attacker to gain the capability to target a wider range of stored credentials, including those for emails, web browsers, VPNs, and other services.
- This variant can steal credentials from the Pale Moon web browser (the open-source web browser), and The Bat! Email client.
- The update is equipped with new networking capabilities with robust exfiltration methods, such as the use of Telegram messaging services. It can use TOR with a key to help bypass the filters for content and network security.
- The new version is primarily focused on India, however, it is targeting other areas including the U.S., Europe, and Brazil.
- Agent Tesla has now ramped up its attacks against internet service providers (ISPs) and other technology firms.
- Utilities and financial services are among the top targeted industries by this new variant.
Recent malware enhancements
In recent times, several malware operators have been observed enhancing their malware by adding new capabilities.
- In the last month, the TA416 APT was observed using a new Golang version of its PlugX malware loader, targeting a range of victims including the Vatican and diplomats in Africa, via spear-phishing attacks.
- In the same month, a new variant of the Muhstik botnet was identified targeting Tomato routers and exploiting vulnerabilities in Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).
New enhancements most likely sharpen up attacker’s arsenal of tools and widen up their scope of attacks. Therefore, experts suggest organizations to stay protected by using anti-malware software, firewalls, and providing appropriate training to their employees.