Agent Tesla Trojan Used in COVID-19 Phishing Campaigns

A complex COVID-19 themed phishing campaign was identified that imitates manufacturers, importers and exporters of chemicals by offering the email recipient personal protective equipment (PPE) including disposable face masks, forehead thermometers, and other medical items used to fight COVID-19.

Researchers at Area 1 Security discovered the phishing campaign, which was found  active since May 2020 and has attacked numerous inboxes. The threat actors typically alter their tactics, techniques and procedures (TTPs) every 10 days to avoid being detected by security tools.

Whenever launching a new phishing email campaign, the threat actors frequently change IP addresses, the companies impersonated, and the phishing baits. In a number of the intercepted email messages, aside from spoofing a real company, the attackers use the names of real company employees, their contact details and email addresses to look more legitimate. They add the spoofed company’s logo to the emails and the correct company website link in the signature, so that in case the recipient performs  any checks, he will be convinced that the email is legit.

The threat actors’ objective is to download the Agent Tesla Trojan, a sophisticated remote access Trojan (RAT) that allows attackers to access an infected device and perform a variety of malicious actions. With the RAT, the attacker could log keystrokes on an infected gadget and steal sensitive data from the user’s AppData folder, and then send that information to the command and control server through SMTP. The trojan can additionally steal information from email, web browsers, FTP and VPN clients.

Hacking forums offer the RAT as malware-as-a-service. RAT is quite popular because it makes conducting campaigns easy and affordable. Agent Tesla is also available for free download on Russian websites using a torrent. The malware has a User interface (UI) that enables users to keep track of infections and access the information it steals.

The RAT is downloaded as a zipped file attachment. Upon extraction, the recipient sees an executable file that looks like a .pdf file. Because Windows hides known file extensions by default, the extracted file will look like a .pdf file even if it is an executable file. For instance, the display name “Supplier-Face Mask Forehead Thermometer.pdf” is actually “Supplier-Face Mask Forehead Thermometer.pdf.gz” or “Supplier-Face Mask Forehead Thermometer.pdf.exe”.

The hash is often altered so that signature-based security solutions cannot detect the malware until the update of definitions include the new hash. The attackers additionally take advantage of configuration flaws in email authentication protocols like DKIM,  DMARC, and SPF when spoofing the websites of legit companies.

The researchers stated that most of the attackers use a shotgun approach, instead of sending spear phishing emails to selected targets. The researchers have discovered a number of targeted attacks on Fortune 500 companies’ executives.

Because the campaign is routinely updated to avoid being detected by security solutions, the employees must be made aware of the campaign so that they won’t inadvertently install the malware.