Senior security researchers from SentinelOne found that new variants of popular Agent Tesla are capable of Stealing credentials from various applications including popular web browsers and VPN software. The latest variant is particularly programmed to steal login credentials from Microsoft Outlook, Microsoft Edge, OpenVPN, and browsers including Chrome, Safari, Opera, Mozilla Thunderbird, and Firefox. Senior threat researcher at SentinelOne, Jim Walter discovered dedicated code used to collect app configuration data and user credentials after analyzing several new samples of the Agent Tesla malware.
A view of some of the software programs targeted by Agent Tesla’s new variants. (Source: SentinelOne)The experts first discovered the malware in June 2018, but it has been available since 2014 when they observed threat actors spreading it via a Microsoft Word document containing an auto-executable malicious VBA Macro. Once the users have enables the macro, the spyware will be installed on the victim’s machine.
Agent Tesla is a trojan that steals data of victims by collecting keystrokes, system clipboard, screenshots, and credentials from the infected system. To do this, the spyware creates different threads and timer functions in the main.
During the COVID-19 pandemic, the malware was embedded with new functionalities and widely used in coronavirus-themed scams and phishing campaigns. The information that the malware collects from infected devices is quickly transferred to the attacker through the panel interface.
Luckily, Agent Tesla isn’t as sophisticated as it is believed to be. Its primary mode of distribution is phishing scams, and recently it is identified in coronavirus-themes attacks, especially campaigns that involve the distribution of emails from the WHO.