New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. [...]
After analyzing recently collected samples of the infostealer malware, researchers discovered dedicated code used for collecting both app configuration data and user credentials from multiple applications.
"The malware has the ability to extract credentials from the registry as well as related configuration or support files," SentinelOne senior threat researcher Jim Walter explains.
Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook are just a small sample of all the apps targeted by the latest Agent Tesla RAT variants.
Once it harvests credentials and app config data, the infostealer will deliver it to its command-and-control (C2) server via FTP or STMP using credentials bundled within its internal configuration.