A 6-year-old keylogger malware called Agent Tesla has been updated again, this time with expanded targeting & improved data exfiltration features.
This infamous keylogger has changed its targeting tactics, & now collects stored credentials for less-popular web browsers & email clients.
Agent Tesla was seen 1st in 2014, specialising in keylogging (designed to record keystrokes made by a user in order to take data like credentials etc.) & data-stealing. Since then keylogger has gained momentum – showing up in more attacks in the 1st half of 2020, compared to the ‘infamous’ TrickBot or Emotet malware, for example.
Volume of Attacks
Researchers have now warned that the newest version of the malware, revealed on Tues., is likely to add to the volume of attacks, as threat players move to use the updated version.
“Threat actors who transition to this version of Agent Tesla gain the capability to target a wider range of stored credentials, including those for web browser, email, VPN & other services,” commented Aaron Riley, Cyber Threat Intelligence Analyst with Cofense in a Tues. analysis.
Data Exfiltration Tactics
The new version of Agent Tesla has the ability to target a much wider range of stored credentials, such as less popular web browser & email clients.
“This may indicate an increased interest in stolen credentials for a more specialised segment of the market or a particular kind of product or service,” observed Riley.
Agent Tesla now can ‘scoop-up’ credentials for the ‘Pale Moon’ web browser, an Open Source, Mozilla-derived web browser available for Microsoft Windows & Linux; & ‘The Bat’ email client, an email client for the Microsoft Windows operating system, developed by Ritlabs, SRL.
Configuration Data & Credentials
Previously, the malware was discovered to have the ability to harvest configuration data & credentials from a number of more common VPN clients, FTP & email clients & web browsers.
That included Apple Safari, BlackHawk, Brave, CentBrowser, Chromium, Comodo Dragon, CoreFTP, FileZilla, Google Chrome, Iridium, Microsoft IE & Edge, Microsoft Outlook, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, Opera, Opera Mail, Qualcomm Eudora, Tencent QQBrowser & Yandex, & others.
The malware also now can use TOR with a key to help bypass content & network security filters, Riley explained.
Networking Capabilities
The update includes new networking capabilities that create a more ‘robust set’ of exfiltration methods, including the use of the Telegram messaging service. While the ability to exfiltrate via a Telegram API “is not new,”
Riley commented it “can point to an upward trend of malware using instant messaging services for Command & Control C2 infrastructure.”
Targeting
The newest version of Agent Tesla showed that the malware has changed its targeting. The new version is mainly focused on India. While this was previously a main target of Agent Tesla, researchers say that the malware has less of a focus on other areas, like the US & Europe.
Also, Agent Tesla has looked less at previously targeted industries like the technology space & has pumped up its attacks against internet service providers (ISPs).
Compromised ISP
“ISPs could be considered a major target for threat actors because of the other industry verticals that rely on them for essential functions,” commented Riley.
“A compromised ISP could give threat actors access to organisations that have integrations & downstream permissions with the ISP. Subscribers would also be at risk, as ISPs often hold emails or other critical personal data that could be used to gain access to other accounts & services.”
Future of Agent Tesla
Agent Tesla has appeared numerous times throughout 2020 in various campaigns. In April 2020 for example, it was seen in targeted campaigns against the oil-&-gas industry. In Aug. 2020, researchers found the malware exploiting the pandemic & adding updated features to help it be pre-eminent in the enterprise threat world.
Researchers warn that when threat players realise the benefits from the newest version of this malware, they may move over faster, as these new features may be necessary.
“Despite the dangerous capabilities of both versions of Agent Tesla, organisations can protect themselves by educating their employees & keeping proper mitigations in place,” concluded Riley.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/
