This phishing email is pushing password-stealing malware to Windows PCs

An old form of trojan malware has been updated with new abilities, warn cybersecurity researchers.

Phishing: Why email is such an easy target for hackers

A phishing campaign is delivering a new variant of one of the oldest forms of remote access trojan (RAT) malware in an effort to steal usernames, passwords and other sensitive information. It also aims to steal cryptocurrency from the victim.

Agent Tesla first emerged in 2014 and it remains a common form of malware today. The malware is focused on stealing sensitive information from compromised Windows machines with the aid of a keylogger, which sends what the victim is typing to the attacker – allowing them to see usernames, passwords, and more.

Now researchers at Fortinet have detailed a new Agent Tesla campaign that distributes an updated version of the malware via phishing emails.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The malicious messages are designed to look like a business email – for example, one asks the user to open a Microsoft Excel attachment titled "Order Requirements and Specs". The document contains a macro which, if run, starts a process that executes and downloads Agent Tesla onto the machine.

This is done across a number of different stages, including downloading PowerShell files, running VBScript and creating a schedule task, all to help mask the installation of the malware, allowing the attacker to secretly monitor activity on the machine. This version of Agent Tesla pings the operator every 20 minutes, sending them any new input detected.

In addition to this, the attack also hijacks any bitcoin wallet on the victim's device. By monitoring activity on the machine and the abuse of PowerShell code, the attacker can monitor for a valid bitcoin address. If this is spotted, the code modifies the bitcoin address and changes it to one owned by the attacker, allowing them to steal cryptocurrency transfers.

Despite being around since 2014, Agent Tesla remains popular with cyber criminals by remaining effective and being relatively cheap: it can cost as little as $15 to buy a license on underground forums.

SEE: Network security policy (TechRepublic Premium)

In addition to low cost, the authors of Agent Tesla offer 24/7 technical support, allowing it to serve as an entry point for less sophisticated cyber criminals – while still being potentially damaging to any person or organisation that falls victim to the malware.

Many of the attacks continue to be distributed by phishing emails – which means if the right precautions are taken, falling victim can be avoided. Cybersecurity researchers recommend using antivirus software to detect suspicious activity, while users should be careful when it comes to opening attachments from unknown sources with unexpected emails.

MORE ON CYBERSECURITY