Getty Images/iStockphoto

COVID-19 PPE Phishing Campaign Delivers Agent Tesla RAT Malware

A prominent phishing campaign has been preying on COVID-19 fears with targeted emails that offer personal protective equipment (PPE), but instead delivers Agent Tesla RAT malware.

report from Area 1 Security warns all sectors that a prominent phishing campaign is preying on COVID-19 fears, sending targeted emails offering personal protective equipment (PPE) that instead deliver Agent Tesla remote access trojan (RAT) malware. 

Throughout the pandemic, hackers have sent a variety of phishing campaigns tied to COVID-19 in order to take advantage of the crisis for financial gain. The Agent Tesla COVID-19 phishing campaign began in May and has since launched multiple iterations, while maintaining the text found in the email body. 

Agent Tesla was first spotted in the wild in 2014, but researchers have seen a resurgence as a preferred MaaS, “superseding even TrickBot and Emotet.” The success of Agent Tesla is based on its adaptability to avoid detection, as well as providing attackers with a “stealthy platform” for its attacks. 

“Various tiers are available for purchase that provide additional licenses and different functionality,” researchers explained. “However, in typical internet fashion, there is a torrent available on Russian websites.” 

“For the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on common Windows devices,” they added. “This file is a trojan, appearing as a benign application but containing hidden, malicious functionality. This initial phase determines if it is in a malware analysis environment so the program can decide whether to proceed with the attack or go to sleep.” 

The latest campaign sends email attachments containing the RAT malware to various companies, disguised as a mask production business and offering face masks and forehead thermometers. 

Researchers detected these attacks leveraging convincing lures able to bypass legacy vendors, which may increase the possibility that these malicious emails will end up reaching the victim’s inbox. Hackers are phishing multiple verticals using a 10-day cycle to avoid detection, modifying their tactics, techniques, and procedures (TTP) before launching a new wave of attacks. 

“The attacker spoofs chemical manufacturers and import/export businesses to make the phishing message appear more legitimate,” researchers wrote. "The attacker continually revises their phishing messages by periodically spoofing different companies in an effort to evade detection.” 

“For the example... the attacker spoofed Transchem Inc., a legitimate chemical supplier,” they added. “With previously spoofed companies, the attacker included the real email address of the purported sender in the signature block. However, in this latest campaign, they remove it to reduce the chances of being detected.” 

The hackers rely on a dynamic approach to defeat common email security defenses, such as rotating to a new IP address to bypass filters that only deny emails based on known sources of malicious activity at the start of each campaign cycle. 

The malware attached to the emails is also continually modified to change its hash, making the malware effectively brand new. As a result, researchers explained that “legacy detections configured to scan for known malicious hashes will not alert on this.” 

Further, flaws found in email authentication protocols, like DMARC and DKIM, allows the attackers to successfully spoof legitimate sender domains of numerous companies. Researchers explained that even when controls are properly implemented, they aren’t enough to protect against dynamic phishing attacks. 

For health departments and state governments, this could prove problematic as Proofpoint recently found these agencies lack the strictest and recommended email protection and authentication, exposing them to COVI9-19 spoofing and fraud attempts. 

After the Agent Tesla phishing email bypasses the email gateway and DMARC controls, the user becomes the last line of defense against the phishing campaign. However, the attacks are designed to present a façade of authenticity, by impersonating real employees from various companies and using legitimate logos of the spoofed companies. 

The emails also include the URL in the email signature block, which leads to the legitimate website of the spoofed company. 

“The attacker is clearly going the extra mile to ensure this spoof will appear as authentic as possible for unsuspecting targets,” researchers explained. “Once the email is delivered, recipients are a mere two steps away from executing the Agent Tesla RAT. The target only needs to extract the compressed attachment, then click on the resulting pdf, which will launch the malware.” 

“To further reduce suspicion, the attachment’s file name is manipulated to make it appear legitimate,” they added. “More specifically, the attacker always names the attached file ‘Supplier-Face Mask Forehead Thermometer.pdf.gz’. The use of a double extension will often trick targets into thinking the file is a PDF, when in fact it’s a compressed executable.” 

Once the malicious file is downloaded, the user may only see the actual file name. And as many legacy email vendors only inspect the attachment extension rather than the file properties, the phishing emails’ compressed files can bypass rule filtering based on file extension. 

Area 1 researchers provided several mitigation recommendations for organizations, stressing that reliance on email gateways, cloud email suites, and traditional anti-virus tools aren’t enough to protect against the Agent Tesla campaign. 

Employees must be made aware of the campaign techniques, as the attackers rely upon users to download and install the malicious malware. Administrators should put into place policies that treat all unsolicited emails from unknown companies as potential threats until reviewed by security. 

And attachments containing compressed files should always be handled with extreme caution: executable files should not even be opened by the user. 

“These extra verifications are just a small precaution but go a long way toward ensuring the safety and security of your organization,” researchers stressed. “With each wave of the campaign, the malicious files and attacker infrastructure are altered to evade detection.” 

“If you think your device may have been compromised by malware, it’s imperative to run a full scan of your system to check for signs of infection. It’s also vital to keep your software and OS secure by installing the latest updates on a routine basis in order to reduce exposure to this ‘Face Mask Supplier’ phishing campaign.”

Next Steps

Dig Deeper on Cybersecurity strategies