AgentTesla's Year Activity
AgentTesla is an infostealer which first appeared in 2014 and has seen widespread usage over the last few years. Written using .NET, it is a full featured stealer which can:
- Steal saved credentials from a wide range of web browsers and email clients
- Collect keys from various SSH/FTP clients
- Log keystrokes
- Harvest data from the clipboard
- Take screenshots and video
- Carry out form-grabbing attacks against login pages for common websites
- Gather saved credentials for known WiFi networks (first seen in early 2020)
It is openly sold through its own website (the name and location of which has changed over the years) claiming to be a legitimate monitoring program for personal computers, although user guides detailing malicious scenarios and the numerous evasion techniques implemented over the years mean this is clearly not the real intention.
In 2018 krebsonsecurity published an article looking into the identity of the AgentTesla author, concluding that it was likely developed by a Turkish citizen. The malware continues to see widespread usage in 2020, with new versions such as the WiFi stealer variant mentioned above and extensive customer support.
Collects Local Credentials from Browsers, Email, FTP etc.
As mentioned above, AgentTesla targets credentials stored locally by many common web browsers, messengers, email clients and FTP/SSH software.
The exact list of paths accessed by the family varies slightly between versions but is generally a very extensive list of file and registry paths. An example of some of these can be seen below.
Collects WiFi Profiles
In Spring of 2020 a new variant of AgentTesla was reported which harvested credentials for previous WiFi connections saved on an infected device.
Blog investigating the developer behind AgentTesla.
MalwareBytes blog on AgentTesla Wifi stealer module
Fortinet report on AgentTesla phishing campaign in early 2020.