Agent Tesla RAT Returns in COVID-19 Vax Phish

An unsophisticated campaign shows that the pandemic still has long legs when it comes to being social-engineering bait.

The Agent Tesla remote access trojan (RAT) is scurrying around the internet again, this time arriving via a phishing campaign that uses a COVID-19 vaccination schedule as a lure.

Spotted by researchers at the Bitdefender Antispam Lab, the attackers are targeting Windows machines using emails with malicious attachments. The body of the mails take a business-email approach and ask recipients to review an “issue” with vaccination registration.

“Attached herewith is the revised circular,” the malicious email reads. “There are some technical issues in the registration link provided in the circular yesterday. Kindly refer to the attached link. For those who had successful register earlier, kindly ignore this email.”

This campaign is spreading the most recent variant of Agent Tesla, a Bitdefender spokesperson told Threatpost. The Agent Tesla RAT has been around for at least seven years, beginning its run mostly as a password-stealer. However, new variants have recently emerged with new modules for better evading detection and better data theft, and it’s used frequently in phishing campaigns seeking to steal not just user credentials but also other sensitive information.

“The updated password-stealing capabilities and security-dodging techniques paired with the malware distribution-as-a-service business model have proven highly profitable,” according to the spokesperson.

In the current spate of attacks, the malicious attachment turns out to be a .RTF document that exploits the known Microsoft Office vulnerability tracked as CVE-2017-11882, a remote code-execution (RCE) bug stemming from improper memory handling. Once opened, the document downloads and executes Agent Tesla malware.

“According to a joint CISA and FBI advisory, CVE-2017-11882 was among the most exploited software vulnerabilities between 2016 and 2019,” according to Bitdefender’s writeup on Friday. “So it seems that bad actors are still hunting for outdated and unpatched software that can easily be compromised.”

Once executed, Agent Tesla then sets about gathering information from the victim’s system, and hoovering up credentials and other sensitive data. It then sends the information back to the attackers via the SMTP protocol, back to an email account registered in advance by the attackers, researchers said.

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, noted that patching for Office is notoriously slow. “Microsoft Office software often lags far behind the Windows host operating system in patching cadence, and many organizations still actively use end of life versions that no longer receive security patches,” he said. “This fact coupled with the near ubiquity of Microsoft Office in business environments make it an attractive target for cybercriminals to focus exploitation efforts.”

Pandemic Continues to Spur Cybercrime

Bitdefender found that while the campaign is hitting mailboxes worldwide, 50 percent of the emails so far landed in South Korea. The next-largest distributions were 6 percent in the U.S., 5 percent each in Germany and the Czech Republic, and 3 percent each in the U.K. and Italy. The campaign is on the smaller side, with around 1,000 hits in Bitdefender’s telemetry.

“Since 50 percent of the malicious emails targeted South Korea, we can speculate that threat actors were closely monitoring local news about the vaccination campaign in the country and anticipated shipment of 14 million doses of coronavirus vaccine,” the spokesperson said.

This type of zeitgeisty-but-tailored approach is a shift away from the broader messaging seen in early pandemic-themed phishing, according to Eric Howes, principal lab researcher at KnowBe4.

“In contrast to the initial waves of COVID-themed phishing emails that we saw back in the late spring and early summer of 2020, which tended to spoof recognized medical authorities and healthcare organizations, more recent phishes have focused more narrowly on the communications that organizations are having with their employees — in this case, on issues surrounding vaccinations as well as efforts by organizations to provide information on policies and procedures surrounding COVID-19,” he told Threatpost. “At this late point in the pandemic, employees have become accustomed to receiving messaging from their employers about these kinds of topics — and bad actors know it. And while the vaccination push in this country has been slowing over the past month, COVID-19 remains a live issue for employers and employees alike.”

The threat actors do not seem to be part of any sophisticated group, the Bitdefender spokesperson added, but the somewhat rudimentary campaign shows the efficacy of using COVID-19 as a lure.

“They clearly did not spend too much time and effort to work on their pitch,” the person said. “However, it’s clear the existing vaccinations campaigns and COVID-19 are still exploited by cybercriminals. As long as COVID-19 makes headlines and impacts social and financial agendas, opportunistic threat actors will continue to exploit the pandemic. The efficiency of campaigns can be split between how much time and effort the criminals put into convincing their targets to access the malicious attachment, links etc.”

How to Prevent Basic Cyberattacks

As ever with these types of campaign, security 101 principles can go a long way to preventing infection, researchers said.

“This is a fairly typical phishing scheme that can be easily prevented with a bit of good cyber-hygiene,” Paul Bischoff, privacy advocate at Comparitech, told Threatpost. “Never click on links or attachments in unsolicited emails. Don’t set macros to run automatically in Microsoft Office documents. And use a real-time antivirus program. Any of these steps should prevent infection.”

Howes added, “If nothing else, this email highlights the importance and role of security-awareness training for organizations coping with the increasing onslaught of malicious emails landing in employees’ inboxes. Although an organization’s antivirus program might catch the malicious attachment, the reality is that it might well fall to employees themselves to thwart this kind of attack.”

He noted that there are several red flags in the email for instance that could and should tip off users that something is amiss.

“First, the ‘from:’ email address clearly indicates that this email is coming from outside the organization,” he explained. “Second, the email refers users to an ‘attached link.’ In fact, what is attached is not a link file or even an HTML web page, but a malicious Office document. Third, the email is a bit vague and confusing, referencing a circular that is not well-described and likely not familiar to recipients of the email.”

Cerberus’ Clements also stressed that success for this type of campaign relies on multiple security failures.

“In this instance, Microsoft Office software must go unpatched and additionally have users fall for the phishing lure and open the malicious attachment,” he said. “To remain safe in today’s thread landscape, organizations must adopt a culture of security that integrates all areas of information security such as comprehensive patching that goes beyond just the base operating system as well as continuous end user security awareness training to spot and report suspected phishing emails.”

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles