Updated versions of Agent Tesla have recently been spotted in the wild that are now capable of stealing Wi-Fi passwords. By issuing the command “netsh wlan show profile,” the malware can retrieve a list of saved SSIDs (Wi-Fi network names). From there, it can issue a second command “netsh wlan show profile name=NETWORK_NAME key=clear” to retrieve the password in plain text.
Agent Tesla is a stealer that has been available since 2014. It is generally spread through phishing with various malicious attachment types such as .zip or .img files and Microsoft Office documents. It can be used to gather system information, steal clipboard data, keylogging and more. Data exfiltration typically happens via email using Simple Mail Transfer Protocol (SMTP) on port 587 through a hardcoded host within the binary.
The fact that passwords for Wi-Fi access points are now stolen by Agent Tesla indicates that there is a market for these passwords and attackers may use them. Security defenders should be aware of the fact that attackers in the local area can make use of Wi-Fi to gain access to corporate networks, and it is important to monitor new devices and unusual behavior from devices connected to Wi-Fi. Always exercise caution when opening email attachments. Binary Defense does not advise opening attachments from unknown or unexpected senders. Receiving files with extensions such as .img or .iso or any type of executable file are not common and especially not when sent from an address outside the organization. Consider using an EDR (Endpoint Detection and Response) solution side-by-side with anti-virus products. Using an EDR or an MDR (Managed Detection and Response) solution can help spot threats before they spread too far. Analysts at the Binary Defense Security Operations Center detect threats on our clients’ workstations and servers 24-hours a day and respond quickly to contain infections, preventing minor incidents from becoming a source of major damage across the company.