Agent Tesla Disguised as COVID-19 Vaccination Registration

upnorth

Moderator
Thread author
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,877
A recent phishing campaign targeting Windows machines is attempting to infect users with one of the most recent versions of the Agent Tesla remote access Trojan (RAT).

The malicious campaign, spotted by the Bitdefender Antispam Lab, tries to deliver the malicious payload under the guise of a COVID-19 vaccination schedule that comes as an attachment. Most of the attacks seem to have originated from IP addresses in Vietnam. Although telemetry shows a global dispersion of the malspam campaign, 50% of the malicious emails were directed to South Korea. The messages are designed to look like a business email asking the recipients to go over some technical issues presented in the attachment and register for the vaccine. “Attached herewith is the revised circular,” the malicious email reads. “There are some technical issues in the registration link provided in the circular yesterday. Kindly refer to the attached link. For those who had successful register earlier, kindly ignore this email.”
AgentTesla-Malspam-Campaign.jpg
Active for over seven years, Agent Tesla has been used frequently in phishing campaigns seeking to steal user credentials, passwords and sensitive information. The updated password-stealing capabilities and security-dodging techniques paired with the malware distribution-as-a-service business model have proven highly profitable. Agent Tesla’s popularity surged during the second half of 2020, with more than 46% of all global Agent Tesla reports occurring in Q4.

The malicious attachment (AC 2021 09 V1.doc) is in fact a RTF document exploiting a known Microsoft Office vulnerability. Once accessed, the document downloads Agent Tesla malware. After the malware has collected all the information from the victim’s system, it exfiltrates the credentials and other sensitive data via the SMTP protocol (email) back to an email account registered in advance by the attackers.