New-look malware can steal passwords from VPN software and web browsers

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

Security researchers have discovered new variants of the Agent Tesla malware that now include modules capable of stealing credentials from many popular apps including web browsers, VPN software and FTP and email clients.

First discovered back in 2014, Agent Tesla is a keylogger and information stealer that has grown in popularity among cybercriminals over the last two years. The malware was initially sold on various hacker forums and marketplaces and its creators provided customers with the malware itself as well as a management panel to allow them to easily sort the data it collects.

Senior threat researcher at SentinelOne, Jim Walter discovered dedicated code used to collect app configuration data and user credentials after analyzing several new samples of the Agent Tesla malware. Walter provided further insight on the capabilities of these new modules in a blog post, saying:

“Currently, Agent Tesla continues to be utilized in various stages of attacks. Its capability to persistently manage and manipulate victims’ devices is still attractive to low-level criminals. Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and Email clients, and Web Browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files.” 

Agent Tesla variants

SentinelOne's analysis of the latest Agent Tesla variants has revealed that the malware can now steal user credentials from a number of popular applications including Google Chrome, Chromium, Safari, Mozilla Firefox, Microsoft Edge, Opera, Microsoft Outlook, Mozilla Thunderbird, OpenVPN and more.

Once the malware harvests the credentials and app configuration data from a targeted program, it then delivers this information to its command-and-control (C2) server via FTP or STMP by using credentials included in its internal configuration.

Walter also pointed out in his blog post that current variants of Agent Tesla will often “drop or retrieve secondary executables” which are then injected into known and vulnerable binaries on a targeted host.

While Agent Tesla has been around for years, the new modules that have been added to the malware make it even more effective at stealing user data.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.