The notorious remote access Trojan (RAT) Agent Tesla is making the rounds in a new phishing campaign, according to research made public by Bitdefender. According to the researchers, Agent Tesla has been active for roughly seven years, but it saw a large increase in usage starting in 2020 (46 percent of which was in the fourth quarter).
According to the InfoSec Institute, Agent Tesla is a .NET programmed malware that is available commercially to cybercriminals. After infection, the primary functions it performs are keylogging, downloading other malicious programs, stealing passwords, and capturing screenshots. It has been used to attack various industries over the years, and despite it not being a very complex remote access Trojan, the phishing campaigns that use it tend to be highly effective.
In this most recent case, Bitdefender uncovered phishing emails that seek to trick victims looking for COVID-19 vaccination information. The email reads as follows:
Attached herewith is the revised circular... There are some technical issues in the registration link provided in the circular yesterday. Kindly refer to the attached link. For those who had successful register earlier, kindly ignore this email.
The email contains a rich text file (AC 2021 09 V1.doc) that, when downloaded, executes Agent Tesla. The way this occurs is through the exploitation of a Microsoft vulnerability, specifically CVE-2017-11882. CVE-2017-11882 allows, according to a NIST security notice, “an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka “Microsoft Office Memory Corruption Vulnerability.”
Bitdefender states that while the Agent Tesla phishing campaign is spreading globally, roughly half of the phishing emails targeted South Korea. It is unknown who is behind this campaign, but as always, be diligent when opening emails from unknown sources. In general, you do not want to trust unknown correspondences, especially if those correspondences send attachments.
Featured image: Shutterstock