Tuesday, November 12, 2024
HomeMalwareHackers Stealing WiFi Password Using New AgentTesla Malware

Hackers Stealing WiFi Password Using New AgentTesla Malware

Published on

Malware protection

Researchers uncovered a new malware variant of AgentTesla used by threat actors to steal WiFi Password and data from different applications such as browsers, FTP clients, and file downloaders.

AgentTesla initially observed in 2014, Since then the malware frequently used by various threat actor groups, and performed multiple cyber-attacks around the globe.

We have reported the AgentTesla Activities last year while it was attempted to steal the username-password and log keystroke from various Windows applications.

- Advertisement - SIEM as a Service

Attackers using the different modules in this campaign, one of the modules has the capability of stealing Wi-Fi passwords.

Recent activities of the malware observed during March and April 2020, and the actors using the malspam campaigns as a medium and distribute malware in various formats such as ZIP, CAB, MSI, IMG files, and Office documents.

AgentTesla Infection Process

AgentTesla info stealer written in .Net, and the researchers saw its activities in wide that collect the information about the victim’s WiFi profile and possibly spread into other machines.

Attack distributed the embedded executable Variant as an encrypted image resource named (ReZer0V2) that can extract and execute one of the victim’s machine in the run time.

Attackers added anti-debugging, anti-sandboxing, and anti-virtualization checks before executing the variant in the victim’s machine. Once it performed all the checks, it executable decrypts and injects the content.

Infection Process

Later it drops the second payload (owEKjMRYkIfjPazjphIDdRoPePVNoulgd) which is heavily obfuscated and it is the main component that responsible for stealing credentials from browsers, FTP clients, wireless profiles, and more.

The malware creates a new “netsh” process bypassing “wlan show profile” as an argument to collect the WiFi profile credentials and extract the WiFi profiles using a Regular expression “All User Profile * :  (?<profile>.*)”.

Later attackers extract the WiFi password in plan text by applying the “netsh wlan show profile PRPFILENAME key=clear”.

Collected data in html format in message body

According to the Malwarebytes report, All the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm in the “<Module>.\u200E” function. This function receives a number as an input and generates three-byte arrays containing input to be decrypted, key and IV.

In addition to that, AgentTesla collecting the system information including FTP clients, browsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and send them into the attackers via C2 server.

AgentTesla has some of the other capabilities in the previous variants including Logs keystrokes and is listed in the top 10 most wanted malware families in 2020.

Researchers also belives that the actors expact the operation of AgentTesla since they have added this WiFi stealing feature.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Indicators of compromise

AgentTesla samples:
91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b dd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044 27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b

First payload: 249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b

Second payload:  63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...