An updated version of Agent Tesla steals passwords from browsers and VPN clients

Updated version of Agent Tesla
Written by Emma Davis

SentinelOne experts warned that the updated version of Agent Tesla malware is equipped with modules for stealing credentials from applications, including browsers, FTP and email clients, as well as VPN solutions.

The main delivery mechanism for Agent Tesla is email (phishing messages). Attackers often use their social engineering baits in the context of an event, and the current pandemic has become a boon for cybercriminals.

In the past few months, attackers have been spreading Tesla’s agent through COVID-themed messages, often masquerading as information or updates from the WHO (World Health Organization). Moreover, this malware was among the leaders in the use of the pandemic theme.

Currently, Agent Tesla continues to be utilized in various stages of attacks. Its capability to persistently manage and manipulate victims’ devices is still attractive to low-level criminals. Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and Email clients, and Web Browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files”, — report SentinelOne researchers.

Malware is interested in: browsers Google Chrome, Chromium, Safari, Mozilla Firefox and Brave; FileZilla FTP client, Mozilla Thunderbird and Outlook email clients, and OpenVPN.

However, the malware is not limited to these applications only (a complete list can be found at the end of this material).

After collecting the necessary credentials and information about application settings on the victim’s machine, the info-stealer sends them to its control server via FTP or STMP.

Experts also write that Agent Tesla often delivers additional malicious binaries to infected machines or uses vulnerable files that already exist on target hosts for these purposes.


Agent Tesla is an advanced RAT, that is, a remote access Trojan known to information security experts since 2014. The malicious program is written in .Net and is capable of monitoring and collecting input from the victim’s keyboard, from the clipboard, taking screenshots and extracting credentials related to various programs installed on the victim’s computer. Malware can also disable antivirus solutions and processes that try to analyze it and interfere with its work.

Let me remind you that this malware was seen in attacks on gas and oil companies.

List of applications that malware attacks:

  • 360 Browser
  • Apple Safari
  • Becky! Internet Mail
  • BlackHawk
  • Brave
  • CentBrowser
  • CFTP
  • Chedot
  • Chromium (general)
  • Citrio
  • Claws Mail
  • Coccoc
  • Comodo Dragon
  • CoolNovo
  • CoreFTP
  • CyberFox
  • Elements
  • Epic Privacy
  • FileZilla
  • FlashFXP
  • Flock
  • Google Chrome
  • IceCat
  • IceDragon
  • IncrediMail
  • Iridium
  • KMeleon
  • Kometa
  • Liebao
  • Microsoft IE & Edge
  • Microsoft Outlook
  • Mozilla Firefox
  • Mozilla Thunderbird
  • OpenVPN
  • Opera
  • Opera Mail
  • Orbitum
  • PaleMoon
  • Postbox
  • QIP Surf
  • Qualcomm Eudora
  • SeaMonkey
  • Sleipnir 6
  • SmartFTP
  • Sputnik
  • Tencent QQBrowser
  • The Bat! Email
  • Torch
  • Trillian Messenger
  • UCBrowser
  • Uran
  • Vivaldi
  • WaterFox
  • WinSCP
  • Yandex
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply