Posted on April 20, 2020 at 9:19 AM
Cybersecurity researchers have confirmed that some hackers are now using upgraded Agent Tesla to steal Wi-Fi passwords from vulnerable computers.
Security researchers have been working hard to make it very difficult for malware to infiltrate computers. But hackers have been upgrading their hacking tools to be more sophisticated and evade detection. With the Wi-Fi module added to Agent Tesla, the information gathering Trojan, hackers have found a way to sneak in and install malware they can use for future attacks.
The new module was discovered by the Malwarebytes team, which recently accessed the highly sophisticated code of Agent Tesla.
How Agent Tesla operates
After gaining access using a phishing attack and infiltrating the target computer, Agent Tesla would then collect system data and send it back to the hacker. The retrieved data include information stored in the RAM, CPU architecture, system’s username, browsers, file downloader, as well as FTP clients. Apart from these, Agent Tesla also collects Wi-Fi credentials as well.
Researchers also found out that the Malware looks for wireless network profiles that are close-by. It then sends a netsh command and adds a key-clear argument, as well as the SSID. This wipes out both the passwords and Wi-Fi names in a plaintext format.
The new samples are deeply obfuscated and are crafted by the malware’s creator to retrieve wireless profile credentials from vulnerable computers.
To retrieve the Wi-Fi passwords from the targeted SSIDs (network names), the malware sends a new netsh command, as Malwarebyte researchers found out.
After Agent Tesla collects these details, it would give the hacker a solid avenue to attack the computer in the future
“We believe this may be used as a mechanism to spread malware or perhaps to set the stage for future attacks,” Malwarebyte pointed out.
Users can prevent the attack
Security experts have suggested how users can avoid this type of attack. They warn users to be very cautious when opening any suspicious email, when clicking them, or when replying to them.
According to the experts, most times the suspicious emails contain executable malware that installs itself and runs in the background without the knowledge of the user. Agent Tesla can be sent through ZIP and IMG files as well.
Another malware has also been upgraded with Wi-Fi capability
Apart from Agent Tesla, another malware has been recently upgraded to have the capacity to steal information through Wi-Fi.
Earlier this year, an Emotet Trojan was spotted with a standalone Wi-Fi spreader tool. This allows the Trojan to infiltrate systems connected to close-by vulnerable networks.
Binary Defense researchers stated that the standalone spreader version has been used for hacking vulnerable systems for about 2 years without any significant upgrade or changes.
But the Emotet developers recently upgraded the malware to have a full Wi-Fi worm module. They started using the malware in the open, infecting targeted computers that are connecting to insecure networks.
With the diversion to malware with Wi-Fi capabilities, the Emotet creators are trying to develop an extremely dangerous and highly sophisticated Wi-Fi worm module. Researchers are warning that this new module is likely going to be seen in action frequently, as it is actively used in the wild.
Malware with RAT and keylogging features
Security researchers say Agent Tesla has been around for 6 years, as .Net-based info stealing software. It comes with remote access Trojan (RAT) and keylogging features.
With the increased use of computers at home due to the current pandemic, hackers are taking advantage to expand their operational methods. Between March and April, Agent Tesla was sent through spam campaigns in a wide range of formats, such as office documents, IMG, MSI, CAB, and ZIP files.
Presently, it’s one of the most common spamming means for business email compromise scammers. They utilize it by taking screenshots and recording keystrokes of infected systems.