keylogger malware

Tesla Agent keyloggers get data theft and directional updates


first appeared on the scene in 2014, specializing in key recording (to record the user’s key operations to steal data such as credentials) and data theft. Since then, keyloggers have gained momentum – for example, there have been more attacks in the first half of 2020 than the infamous trickbot or emotet malware.

The infamous keyboard recorder has changed its positioning strategy and now collects stored for less popular web browsers and email clients.

The 6-year-old keystroke logging malware, called agent Tesla, has been updated again this time to expand the target range and improve the data leakage function.

The latest version of the malware (revealed on Tuesday) could increase the number of such attacks as threat actors gradually adopt newer versions, the researchers warned.

“The threat actor who transitioned to this version of Tesla’s acquisition capability targets a broader range of storage credentials, including web browsers, email, VPN and other services,” said Alan Riley, an analyst with cofense Network Threat Intelligence, in an analysis on Tuesday.

Data leakage strategy

The new version of agent Tesla has the ability to store more widely, such as less popular web browsers and email clients.

“This may indicate an increase in interest in stolen certificates for more specialized markets or for specific types of products or services,” Riley said

Now, Tesla agents have the ability to obtain credentials for the palm moon web browser, which is an open-source Mozilla derived web browser, which can be used in Microsoft Windows and Linux; the bat e-mail client developed by ritlabs, SRL, is the email client of Microsoft Windows operating system.

Previously, the malware was found to have the ability to collect configuration data and credentials from many more common VPN clients, FTP and email clients, and web browsers. These include apple Safari, Blackhawk, brave, centbrowser, chromium, Comodo dragon, coreftp, FileZilla, Google Chrome, iridium, Microsoft IE and edge, Microsoft Outlook, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, opera, opera mail, qcomm Eudora, Tencent QQ browser and yandex.

Riley told threatpost that the malware can now also use tor with keys to help bypass content and network security filters. And this update includes new networking capabilities that create a more powerful set of penetration methods, including the use of the telegram messaging service. Riley told threatpost that while the ability to penetrate through the telegram API is not new, it “points to an upward trend in malware using instant messaging services for [command and control] C2 infrastructure.”

Specify target

The latest version of Tesla agents shows that the malware has changed its target. The new version is mainly for India. Although it used to be a major concern for Tesla agents, the researchers said the malware was less focused, such as in the United States and Europe.


New Tesla positioning. Credit: cofense

In addition, agent Tesla paid less attention to the technology field and other previous target industries, and increased attacks on Internet service providers (ISPs).

“ISPs are seen as the main target of threats to participants because of other vertical industries that depend on their basic functions,” Riley said “A compromised ISP may enable threat participants to access organizations that have integrated and downstream rights with ISPs. Subscribers will also be at risk because ISPs often hold e-mail or other important personal data that can be used to gain access to other accounts and services. “

The future of Tesla agents

Agent Tesla made many appearances in various activities last year. In April 2020, for example, a targeted campaign for the oil and gas industry reflected this. In August 2020, researchers identified malware that took advantage of the epidemic and added new features to help it dominate enterprise threat scenarios.

The researchers warn that once threat actors are aware of the benefits of the latest version of malware, they may be able to make a faster transition due to the potential need for new features.

“While both versions of Tesla have dangerous features, organizations can protect themselves by educating employees and taking appropriate mitigation measures,” Riley said