Password Stealers Aren’t Letting up Any Time Soon

December 6, 2018  |  Josh Lake

Password security has always been a challenge. Brute force attacks are constantly getting more powerful, but they aren’t the only threat you have to worry about. A range of password-stealing malware continues to grow in popularity.

One example, Agent Tesla, has seen its detection rate grow 100% in just three months, according to data from LastLine. Despite this rapid growth, Agent Tesla is far from the most popular. That title goes to Pony, which represents 39% of the total password stealer detections, according to Blueliv’s 2018 report, The Credential Theft Ecosystem. LokiPWS and KeyBase trailed Pony at 28% and 16%, respectively.

These password stealers are each capable of stealing credentials and other information from a wide variety of programs. Each is unique with its own techniques for delivery and a range of features that hackers can use to mount attacks.

Despite the differences, each of these programs can have severe impacts on their victims. The negative impacts can range from having all of the money stolen from an individual’s accounts to the theft of a company’s intellectual property. The key features of some of the most common password stealers are listed below:

Agent Tesla

Like most password stealers, Agent Tesla can access a wide variety of your information, ranging from your credentials to your keystrokes. It can even take screenshots and videos from your device’s camera. Agent Tesla targets a number of major programs, including web browsers, email clients, FTP applications and other commonly used software.

Once Agent Tesla has been installed on a target’s computer, it can also be used to download other malware. This feature allows threat actors to intensify their attacks and make them even more devastating.

Its pricing shows that the malware industry hasn’t been left behind in the X-as-a-service boom, because it is available as part of a plan that starts from $15 per month. This price includes all the 24/7 support someone might need to assist them in their criminal endeavors. Of course, payments are made in Bitcoin.

Despite running what must have been an incredibly profitable business, Agent Tesla’s creators have recently posted an update stating it will crack down on illegal use of the program. Under its terms of service, it declares that the software must only be used within the law, but features such as anti-antivirus throw these intentions into question.

Due to the recent media attention that Agent Tesla has received, the developers will strip some of its more questionable features, such as anti-antivirus and webcam capture. They also claim to be banning those who are using the program maliciously. Only time will tell whether the creators are sincere, or if this is merely an attempt to keep the authorities from knocking down their doors.


Pony is currently the most popular password stealer, but it’s certainly not new. In the past, it has been used to control a number of enormous botnets, which by 2013 had already stolen more than two million credential sets.

In 2014, it involved into a series of attacks that stole $200,000 worth of cryptocurrencies, as well as 700,000 sets of credentials. In recent years, Pony has seen prominence as a loader alongside other malware, such as CryptoWall and Angler. These programs, a type of ransomware and an exploit kit, respectively, help attackers launch even more devastating assaults.


As the second most commonly encountered password stealer, LokiPWS has been involved in a significant number of attacks. It can be purchased from a range of illicit marketplaces for between $200 and $400, depending on the desired functionality. LokiPWS is comprised of a loader, a password stealer and a wallet stealer, which makes it useful in a variety of attacks.


TrickBot was originally a banking trojan but has since been updated to steal other credentials as well. This malware is modular and continues to have new features added by its developers. The coding for the newest components isn’t as clean as the earlier parts, but if it continues to be refined, we could see TrickBot used in a greater number of password-stealing scams.

Common Attack Vectors  

Attackers can load password stealers to their target’s systems in the same ways as most malware. These include social engineering, fake Adobe flash and other program updates, drive-by downloads, and through “free” online software. The following are some of the most common techniques that we see associated with password stealers:

Social Engineering

Social engineering (a.k.a. phishing) is one of the most prominent methods that hackers use to load password stealers onto their victims’ computers. They commonly use convincing emails to trick the recipients into downloading an attachment.

The level of sophistication in the email will depend on the attacker’s game plan. Some may send highly-tailored emails to a select group of people in the hopes of convincing a large percentage to download the attachment. Others may put less effort into each email, but send them to a much greater number of people. The rate of success won’t be anywhere near as high, but this technique allows them to attempt to manipulate a much larger group of people.

The attachments can take many forms, including RTF files, PDF files, PUB files, DOC and DOCX files, XLS files, EXE files, images and more. It is common for the malware to be disguised as seemingly legitimate invoices and other important documentation. These tricks can easily fool users into unwittingly granting access to the password stealer.

A recent campaign has been taking advantage of vulnerabilities to spread both LokiPWS and Agent Tesla. The target is tricked into downloading a DOCX file, which in turn downloads an RTF file. This technique takes advantage of both a Microsoft Office remote code execution flaw, as well as a memory handling bug, in order to help slip the malware past antivirus software.       

TrickBot is often hidden in Excel files. In these attacks, the user is told that the document was created with an older version of the program and that they need to “enable content” in order to access the file. Clicking this button runs the macros, which kicks off the malicious code and begins the TrickBot download.

Agent Tesla even has a customizable “Fake Message” option. This allows an attacker to tailor a pop-up that convinces the target to install the malware. This feature makes it simple to create a legitimate-looking dialogue box that might say something like “This program needs to be updated before it can launch. Update now?”

Users will often click to run the update without even thinking about it. Something so simple can end up having dramatic effects because, of course, the program isn’t actually being updated. What’s really going on is that Agent Tesla is tricking the user into letting it install itself.         

Attacks Launched from USBs

Malware like Agent Tesla can also be preconfigured to run from a USB stick. This gives attackers more imaginative ways to upload their malware onto a target’s computers.

One example involves threat actors leaving a bunch of malware-riddled USBs in an employee car park in the hope that some curious workers will pick them up and plug them into their office computers. When the USB is plugged in, Agent Tesla loads to the computer and can begin logging everything that the user does.

Getting Past Your Computer’s Defenses

Computers and networks have a range of defenses that help keep the bulk of malware at bay. These aren’t perfect, because the landscape of cyber threats is constantly evolving. This makes it much more challenging to prevent cutting-edge attacks.

Agent Tesla has a wide variety of configuration options that enable threat actors to customize how they launch their attack to bypass defenses. With just a few clicks in an easy-to-use settings menu, an attacker can choose whether to disable the target’s Task Manager, how it will get past anti-analysis tools, whether it will launch automatically after rebooting, and much more.

The Agent Tesla website used to feature support that gave tips on getting around defenses, including advice on how to hide the malware in other files, and how to trick security tools. The website may have claimed that the software was only designed for monitoring personal computers, but all of this auxiliary information hints at other intentions.

How Do Password Stealers Take Your Credentials?

Once a password stealer has made its way onto the target’s systems, it starts getting to work. There is some variance in how each of these programs function but many of the core elements and features are the same.


Keyloggers are some of the most commonly used tools for stealing credentials and other information that may be useful to attackers. They can be set up to record every keystroke that the target makes, sending the data back to the attacker. Of course, whenever the target types their usernames and passwords, this information goes straight into the attacker’s hands.

Clipboard access

Many password stealers can also access the data that is being stored in your clipboard. Clipboards aren’t a secure part of your computer, and the information that is stored in them can be accessed by all active processes, which means that malware can also take this information.

This is somewhat worrying for those whose password manager uses the clipboard, but the majority of these programs tend to erase the data straight away. If you ever have to manually copy a password, it’s probably best to clear the clipboard after you have finished pasting.


It’s also common for password stealers to take screenshots of their target’s activity. This helps attackers keep track of what their victims are doing and enables them to log even more of their information.


Some password stealers can hijack a device’s camera and take pictures or video. This allows threat actors to build up an even greater profile of information on their victims.

Which Programs Do Password Stealers Target?

Most of the common password stealers can take credentials and other information from a wide variety of applications. These include common web browsers like Chrome, Safari, Microsoft Edge and Opera, FTP programs like FileZilla and WinSCP, email clients like Outlook, and many more. Some of these password stealers are set up to access data from more than one hundred commonly used programs.

How Does This Information Get Sent Back to the Threat Actor?

Once password stealers get their hands on your valuable data, they send it back to the attacker. The information is surreptitiously sent to a server, and then either to the attacker’s email or a dashboard.

These dashboards vary in complexity, but some provide an impressive array of organization that makes it easy for threat actors to keep track of a large number of victims. As an example, Agent Tesla’s dashboard shows the progress of attacks against each of its targets. Menus clearly show the keystrokes, screenshots, passwords and other data that has been collected.

Once an attacker has this data, they can either sell it in bulk, use it to steal from you, or use it to mount further attacks and penetrate your systems more deeply.

How Can Password Stealers Impact Organizations and Individuals?

Passwords are one of the most important systems that we have for controlling access to our data. Now that we conduct significant parts of our work and personal lives online, this makes them gateways to incredible amounts of our information.

Password stealers can easily grant access to many aspects of our lives and businesses, and the impacts can be disastrous and wide-reaching. At a personal level, password stealers can enable threat actors to withdraw money from your bank account, hijack your social media or even commit complete identity theft.

Organizations also face significant threats, because password stealers have the potential to give a threat actor complete access. Once an attacker is inside a company’s systems, they can copy its intellectual property, steal its data, lock up its information with ransomware, or even attempt extortion. The results can be as broad as an attacker’s imagination.

Staying Safe from Password Stealers

As you can see, password stealers represent a significant threat. Unfortunately, there is no surefire way to completely guard yourself and your organization. Despite this, following security best practices will reduce the risks to an acceptable level, especially if adequate staff training is part of the process.

Individuals and employees need to be aware of the risks and only open attachments if they are certain that they are legitimate. It’s important to encourage a workplace culture where employees feel comfortable to check with IT whenever they are unsure of a potential security issue.

Implementing two-factor authentication is another crucial mitigator. If an authentication process requires a token, biometric input, an authenticator app or an SMS code in addition to the user password, it can make it significantly more difficult to break into the systems.

Password stealers can grant absolute access to our online worlds, so it’s important to be vigilant against them. While there are some programs that claim to be able to remove them, like all things in cybersecurity, it is much less costly to focus on prevention.

Share this with others

Get price Free trial