Threat behavior
Agent Tesla collects system information, such as username, computer name, operating system, central processing unit (CPU), and RAM. It also can log keystrokes and take screenshots.
The malware could attempt to steal Windows credentials along with sensitive information from various applications below.
Browsers
- 360 Browser
- 7Star
- Amigo
- BlackHawk browser
- Brave
- CentBrowser
- Chedot
- Google Chrome
- Chromium
- Citrio
- Coc Coc
- Comodo Dragon
- CoolNovo
- Coowon
- CyberFox
- Microsoft Edge
- Element Browser
- Epic Privacy
- Falkon
- Firefox
- Flock
- GNU IceCat
- IceDragon
- Iridium Browser
- K-Meleon
- Kometa
- Liebao browser
- Opera
- Orbitum
- Pale Moon
- QIP Surf
- QQ
- Safari
- SeaMonkey
- Sleipnir
- Sputnik
- SRWare Iron
- Torch
- UC Browser
- Uran
- Vivaldi
- WaterFox
- Yandex Browser
Email clients
- Becky! Internet Mail
- Claws Mail
- eM Client
- Eudora
- Foxmail
- Mailbird
- Mozilla Thunderbird
- Opera Mail
- Outlook
- Pocomail
- Postbox
- SeaMonkey
- The Bat!
FTPs
- cFTP
- Core FTP
- FileZilla
- FTP Navigator
- FTPGetter
- SmartFTP
- WinSCP
- WS_FTP
Virtual network computing (VNCs)
- RealVNC
- TightVNC
- UltraVNC
- WinVNC
VPNs
- NordVPN
- OpenVPN
- Private Internet Access
Miscellaneous apps
- Internet Download Manager
- JDownloader
- MySQL Workbench
- Paltalk
- Trillian
The sensitive information collected could be sent to a specified email address, HTTP server, FTP server, etc.
Prevention
Guidance for individual users
Keep your operating system and antivirus products up to date.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection. For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
Guidance for enterprise administrators
Following the mitigation steps below can help prevent malware attacks:
- Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown variants.
- Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Use the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
- Turn on tamper protection features to prevent attackers from stopping security services.