Six-year-old keylogger malware called Agent Tesla has been updated again, this time with expanded targeting and improved data exfiltration features.
Agent Tesla first came into the scene in 2014, specializing in keylogging (designed to record keystrokes made by a user in order to exfiltrate data like credentials and more) and data-stealing. Since then keylogger has only gained momentum – showing up in more attacks in the first half of 2020 compared to the infamous TrickBot or Emotet malware, for instance.
Researchers warn that the newest iteration of the malware, disclosed on Tuesday, is likely to add to this volume of attacks, as threat actors move to adopt the updated version.
“Threat actors who transition to this version of Agent Tesla gain the capability to target a wider range of stored credentials, including those for web browser, email, VPN and other services,” said Aaron Riley, cyber threat intelligence analyst with Cofense in a Tuesday analysis.
Data Exfiltration Tactics
The new version of Agent Tesla includes the ability to target a wider range of stored credentials, such as less popular web browser and email clients.
“This may indicate an increased interest in stolen credentials for a more specialized segment of the market or a particular kind of product or service,” said Riley.
Agent Tesla now includes the ability to scoop up credentials for the Pale Moon web browser, an Open Source, Mozilla-derived web browser available for Microsoft Windows and Linux; and The Bat email client, an email client for the Microsoft Windows operating system, developed by Ritlabs, SRL.
Previously, the malware was discovered to have the ability to harvest configuration data and credentials from a number of more common VPN clients, FTP and email clients and web browsers. That included Apple Safari, BlackHawk, Brave, CentBrowser, Chromium, Comodo Dragon, CoreFTP, FileZilla, Google Chrome, Iridium, Microsoft IE and Edge, Microsoft Outlook, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, Opera, Opera Mail, Qualcomm Eudora, Tencent QQBrowser and Yandex, among others.
The malware also now can use TOR with a key to help bypass content and network security filters, Riley told Threatpost. And, the update includes new networking capabilities that create a more robust set of exfiltration methods, including the use of the Telegram messaging service. While the ability to exfiltrate via a Telegram API “is not new,” Riley told Threatpost it “can point to an upward trend of malware utilizing instant messaging services for [Command and Control] C2 infrastructure.”
The latest version of Agent Tesla showed that the malware has swapped up its targeting. The new version is primarily focused on India. While this was previously a main focus of Agent Tesla, researchers say that the malware has less of a focus on other areas, like the U.S. and Europe.
In addition, Agent Tesla has focused less on previously targeted industries like the technology space, and has ramped up its attacks against internet service providers (ISPs).
“ISPs could be considered a major target for threat actors because of the other industry verticals that rely on them for essential functions,” said Riley. “A compromised ISP could give threat actors access to organizations that have integrations and downstream permissions with the ISP. Subscribers would also be at risk, as ISPs often hold emails or other critical personal data that could be used to gain access to other accounts and services.”
Future of Agent Tesla
Agent Tesla has showed up multiple times this past year in various campaigns. In April 2020 for instance, it was seen in targeted campaigns against the oil-and-gas industry. In August 2020, researchers discovered the malware exploiting the pandemic and adding new features to help it dominate the enterprise threat scene.
Researchers warn that once threat actors realize the benefits from the newest version of the malware, they may transition more quickly as the new features might be necessary.
“Despite the dangerous capabilities of both versions of Agent Tesla, organizations can protect themselves by educating their employees and keeping proper mitigations in place,” said Riley.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Allie Mellen, a security strategist in the Office of the CSO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.