Area 1 Security researchers have discovered a worldwide phishing campaign that is supposed to provide information on face masks and other personal protective equipment as part of its pandemic of COVID-19, with the aim of infecting Appliances of potential victims with the AgentTesla Remote Access Trojan.
Investigators security first spotted AgentTesla Trojan in 2014, and it is now available for rent in various underground forums, at prices ranging from $ 12 for monthly rent to $ 35 for six-month lease, according to a report by Sentinal Labs released earlier this month.
It is noteworthy that the fraudsters behind this campaign change the tactics, techniques and procedures they follow every 10 days, modifying the messages and falsifications domains, so that they can not be detected.
These phishing emails are estimated to have targeted thousands of inbound users, although the rate of attack has slowed since 13 August. According to Juliette Cash, a threat researcher at Area 1 Security, this could mean that scammers are taking a break to renew and strengthen their strategies once again.
This phishing campaign targets companies around the world, covering a variety of industries, including US international companies. The campaign also targeted current Fortune 500 executives, including security executives from around the world. In addition, the attackers are believed to be using more than one "weapon" to lure unsuspecting victims.
The purpose of the phishing emails sent as part of the campaign is to infect devices with AgentTesla, a one-time "thief" of information that has evolved into a Trojan or RAT remote access. Since the outbreak of the COVID-19 pandemic, this malware became popular with fraudsters and cybercriminals because of its ability to evade detection as well as the low licensing fees in underground forums, which make it affordable for rent and development.
The phishing campaign falsifies legitimate companies advertising face masks as well as other medical devices used to prevent the transmission of COVID-19. One of these companies was the chemical supplier "Transchem". In addition, messages sometimes use employee names to add another level of legitimacy.
During the campaign, scammers rotate to IP addresses to circumvent certain security protections and take advantage of incorrectly configured email authentication protocols, such as DMARCs, to send malicious emails to victims' inboxes.
Phishing emails contain an attachment that looks like a PDF file and is usually labeled: “Supplier-Face Mask Forehead Thermometer.pdf.gz”. If the file is opened and decompressed, the macros are activated and the AgentTesla Trojan is transferred to the compromised device. Once transferred to a device, AgentTesla Trojan connects to a command-and-control server to receive additional instructions from scammers. Malware usually gets access in the AppData folder that contains settings, files, and data for applications Windows. It will then try to load the missing "dynamic link links" and download additional files to remove the stolen information from the AppData folder. Scammers try to collect as much data as possible from the devices they violate. Data that can be collected through AgentTesla Trojan includes configuration data as well as credentials from web browsers, email, VPN and FTP. But because AgentTesla is a Remote Access Trojan, it exposes the affected devices to other, and possibly more harmful, attacks.
While AgentTesla Trojan has appeared in BEC scams from Nigeria, security company Bitdefender said in April that the malware had also been used in a series of attacks targeting the global oil and gas industry. Also in April, researchers at Palo Alto Networks' Unit 42 noticed a significant increase in COVID-19 phishing emails, which attempted to develop the Trojan in a wide range of industries.