Researchers at Fortinet have discovered a new campaign where a new version of Agent Tesla malware is being distributed.
The old malware’s new version has an updated keylogger, which can steal the usernames and passwords of the target for further exploitation. Also, it’s capable of replacing the Bitcoin wallet addresses to steal the cryptocurrencies.
Agent Tesla Updated Version
Agent Tesla is an old malware, existing since 2014 and so popular among cybercriminals. It’s basically a Remote Access Trojan (RAT) available for as cheap as $15, allowing entry-level cybercriminals to try their hands on breaching accounts.
It’s so appealing because of its simple accessibility and round-the-clock support from makers.
Now, as per Fortinet, there’s a new version of Agent Tesla being distributed through a phishing campaign. Based on the business concept, scammers send emails consisting of a Microsoft Excel attachment titled “Order Requirements and Specs“.
Targets opening the attachment will be prompted to enable Macros, thus downloading the malicious pack (Agent Tesla) in the background.
The deployment is done in various stages, from downloading PowerShell files to tunning a VBScript and scheduling a task – everything is done gradually to remain unsuspicious.
Once in, the RAT will monitor the victim’s activity on the compromised machine and send any new information stolen to the operator every 20 minutes.
Since it specializes in keylogging, Agent Tesla is primarily used to steal sensitive data like banking and other social accounts login credentials. These could be used for further exploitations as the perpetrator desired.
Further, it’s also capable of overlooking and replacing the cryptocurrency wallet addresses like Bitcoin’s.
So, if a victim is found transferring cryptocurrencies to another wallet, Agent Tesla can quickly replace the destination address with that of the perpetrator’s and benefit him in that transaction. Thus, people are advised to scrutinize their emails and financial transactions.