Cyber-criminals harvest Wi-Fi credential with updated Agent Tesla malware

News by Rene Millman

New Agent Tesla malware module used to steal passwords from infected Wi-FI systems.

Security researchers have discovered new variants of the Agent Tesla malware that come with modules for stealing Wi-Fi passwords.

According to a blog post by Malwarebytes, the Agent Tesla .Net-based infostealer was originally used by its developers to steal data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. But the malware has now been found to contain the capability to steal WiFi profiles.

Researchers said that the module could possibly allow hackers to spread malware to other machines.

Agent Tesla has been around since 2014 and recently has been actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents.  

The malware has an executable embedded as an image resource, which is extracted and executed at run-time. This executable also has a resource that is encrypted and can check to see if it is being debugged, sandboxed, or run in virtualisation mode. When those checks are done, it  injects the content of the resource into itself.

A second payload is the main component of AgentTesla that steals credentials from browsers, FTP clients, wireless profiles, and others. Researchers said the malware is heavily obfuscated to make the analysis more difficult.

To steal Wi-Fi information, a new “netsh” process is created by passing “wlan show profile” as argument.  Available WiFi names are then extracted by applying a regex: “All User Profile * :  (?<profile>.*)”, on the stdout output of the process.

A command is then executed to extract the profile’s credential: “netsh wlan show profile PRPFILENAME key=clear”

“In addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients, browsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and adds them to a list,” said researchers.

Researchers added that since AgentTesla added the WiFi-stealing feature, they believed the threat actors may be considering using WiFi as a mechanism for spreading malware, similar to what was observed with Emotet.

“Another possibility is using the WiFi profile to set the stage for future attacks,” they said.

Jake Moore, cyber-security specialist at ESET, told SC Media UK that stealing Wi-Fi credentials is a very targeted attack and this one in particular looks to be a rather clever attack, obfuscated to researchers.  

“The best defence is to have a separate network for the core business that is heavily secured using only known devices. When employees demand Wi-Fi at work they must always be on a separated network with no access to files. This will mitigate this risk of attacks similar to those seen here,” he said.

Geraint Williams, CISO of GRCI, told SC Media UK that in the event of an infection, users should disconnect any infected devices from the internet but don’t turn them off, thoroughly clean them, then restore them to baseline settings.

“You will need to figure out whether any information has been exfiltrated and if so, decide what to do – such as changing Wifi credentials. You should also consider reporting the attack to organisations like the National Cyber Security Centre, which monitor cyber-crime activity and can help investigate and prosecute the criminals behind the attack,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews