AgentTesla Malware Has Updated Data Harvesting CapabilitiesInformation Stealer Remains Popular With Fraudsters and BEC Gangs
An updated version of the AgentTesla information-stealing malware now boasts additional data harvesting capabilities, including the ability to target more web browsers and email clients, according to a report released this week by security firm Cofense.
AgentTesla was first uncovered by security researchers in 2014. Since then, its developers have steadily added to its capabilities. One recent update that was spotted in August by analysts with Sentinel Labs found the malware could steal credentials from VPNs, web browsers, FTP files and email clients (see: Beware: AgentTesla Infostealer Now More Powerful).
Since the start of the COVID-19 pandemic, AgentTesla has become popular with fraudsters and cybercriminals due to its ability to steal a large range of data from targeted victims and its relatively low licensing fees, which the Sentinel Labs analysis found ranges from $12 for a monthly rental to $35 for a six-month lease.
AgentTesla, which is typically distributed using phishing emails, has also become popular with business email compromise gangs who deploy the malware to gather information on potential victims and to assist in monitoring email communications (see: Interpol Busts Massive Nigerian BEC Gang).
The Cofense analysts note that while AgentTesla already could target most of the popular web browsers, such as Google Chrome, Mozilla Firefox and Microsoft Edge, its creators have added the ability to target lesser-known browsers as well as email clients. This includes Pale Moon, an open-source web browser that works with Windows and Linux, and The Bat email client, which is maintained by Ritlabs and works with Windows devices, says Aaron Riley, cyber threat intelligence analyst at Cofense.
The reason for targeting some of the more obscure web browsers is to "get a higher hit rate for browser-based credentials by going after all of the browsers available to users and not just the top three or so. Also, different operating systems can and do use different web browsers," Riley tells Information Security Media Group.
The updated version of AgentTesla can now communicate with its operators over the anonymous Tor network, which can better hide communications and allow fraudsters to bypass security features when exfiltrating data from a targeted device, Riley notes.
"It does use Tor and the benefits are for evasion of content and network filtering," Riley says. "The way in which Tor works limits the security stack to what it can see and alert on."
Tesearchers also found the newer version can exfiltrate data using legitimate, secure communications services such as Telegram.
"The update also includes networking capabilities that create a more robust set of exfiltration methods, including the use of the Telegram messaging service - adding to an overall trend of abusing trusted platforms to evade network-based detection," the Cofense report notes.
Focus on ISPs
Since the updated version of AgentTesla was spotted in August, the Cofense researchers note that it's mainly targeted victims in India, the U.S. and Europe.
The report also notes that, unlike older versions of AgentTesla that targeted utilities, financial services and the oil and gas industries, fraudsters are now using the latest version against ISPs.
"ISPs could be considered a major target for threat actors because of the other industry verticals that rely on them for essential functions," according to the Cofense report. "A compromised ISP could give threat actors access to organizations that have integrations and downstream permissions with the ISP."