skip to Main Content

Cybercrime, new AgentTesla infostealer variant is on the wild

Malwarebytes: Cybercrime is spreading a new version of the AgentTesla infostealer. It has new features, as the capability to steal WiFi profiles

AgentTesla has a new variant. It has been discovered by Malwarebytes cyber security experts. The .Net-based infostealer has the capability to steal data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. The actor behind this malware is constantly maintaining it by adding new modules. One of them is the capability to steal WiFi profiles. The malicious code was first seen in 2014, and has been frequently used by cybercrime in various campaigns since. During the months of March and April 2020, it was actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents. Newer variants of AgentTesla seen in the wild have the capability to collect information about a victim’s WiFi profile, possibly to use it as a way to spread onto other machines.

The cyber security experts: The malware is .NET based and all the strings are decrypted by Rijndael algorithm

According to the cyber security experts, the Agent Tesla variant was written in .Net. It has an executable embedded as an image resource, which is extracted and executed at run-time. This (ReZer0V2) also has a resource that is encrypted. After doing several anti-debugging, anti-sandboxing, and anti-virtualization checks, the executable decrypts and injects the content of the resource into itself. The second payload is the main component of the malware that steals credentials from browsers, FTP clients, wireless profiles, and more. The sample is heavily obfuscated to make the analysis more difficult for researchers. To collect wireless profile credentials, a new “netsh” process is created by passing “wlan show profile” as argument. Available WiFi names are then extracted by applying a regex on the stdout output of the process. All the strings used by the info stealer are encrypted and are decrypted by Rijndael symmetric encryption algorithm.

Back To Top