The new variants are more dangerous than previous versions of the malware. They now sport a module that enables them to scrape WiFi passwords from devices they invest.
That will enable them to lurk in the background and install additional malware later, even after the initial infection has been found and cleared. It also makes these new variants to compromise other systems that reside on, or connect to the same compromised wireless network.
The authors of the new variants took pains to heavily obfuscate the code to make it more difficult to detect. The new capabilities revolve around the addition of a combination of the “netsh” command, coupled with a “wlan show profile” argument that lists all available WiFi profiles in a convenient format.
To actually get at the passwords, once the netsh command is run, a key-clear argument is used to show and extract the password for each profile in plain text format.
A report compiled by Malwarebytes had this to say about the newly discovered code:
“In addition to wifi profiles, the executable collects extensive information about the system including FTP clients, browsers, file downloaders, machine info (username, computer name, OS name, CPU architecture, RAM) and adds them into a list. We believe this may be used as a mechanism to spread, or perhaps to set the stage for future attacks.”
Agent Tesla isn’t the only malware to have been upgraded in recent months. Emotet, which went for more than two years without a significant upgrade, has recently been spotted in the wilds sporting new WiFi stealing capabilities. It seems to point to a newly emerging trend in the hacking world.