Saturday, November 28, 14:50
Home security COVID-19 phishing campaign spreads by AgentTesla Trojan!

COVID-19 phishing campaign spreads by AgentTesla Trojan!

Area 1 Security researchers have discovered a worldwide phishing campaign that is supposed to provide information on face masks and other personal protective equipment as part of its pandemic of COVID-19, with the aim of infecting Appliances of potential victims with the AgentTesla Remote Access Trojan.

Investigators security first spotted AgentTesla Trojan in 2014, and it is now available for rent in various underground forums, at prices ranging from $ 12 for monthly rent to $ 35 for six-month lease, according to a report by Sentinal Labs released earlier this month.

Mesures COVID-19

Η campaign, which appears to have launched in May, uses phishing emails forging messages from chemical manufacturers as well as import / export companies.

It is noteworthy that the fraudsters behind this campaign change the tactics, techniques and procedures they follow every 10 days, modifying the messages and falsifications domains, so that they can not be detected.

These phishing emails are estimated to have targeted thousands of inbound users, although the rate of attack has slowed since 13 August. According to Juliette Cash, a threat researcher at Area 1 Security, this could mean that scammers are taking a break to renew and strengthen their strategies once again.

phishing campaign COVID-19

This phishing campaign targets companies around the world, covering a variety of industries, including US international companies. The campaign also targeted current Fortune 500 executives, including security executives from around the world. In addition, the attackers are believed to be using more than one "weapon" to lure unsuspecting victims.

The purpose of the phishing emails sent as part of the campaign is to infect devices with AgentTesla, a one-time "thief" of information that has evolved into a Trojan or RAT remote access. Since the outbreak of the COVID-19 pandemic, this malware became popular with fraudsters and cybercriminals because of its ability to evade detection as well as the low licensing fees in underground forums, which make it affordable for rent and development.

phishing campaign COVID-19

The phishing campaign falsifies legitimate companies advertising face masks as well as other medical devices used to prevent the transmission of COVID-19. One of these companies was the chemical supplier "Transchem". In addition, messages sometimes use employee names to add another level of legitimacy.

During the campaign, scammers rotate to IP addresses to circumvent certain security protections and take advantage of incorrectly configured email authentication protocols, such as DMARCs, to send malicious emails to victims' inboxes.

AgentTesla Trojan

Phishing emails contain an attachment that looks like a PDF file and is usually labeled: “Supplier-Face Mask Forehead Thermometer.pdf.gz”. If the file is opened and decompressed, the macros are activated and the AgentTesla Trojan is transferred to the compromised device. Once transferred to a device, AgentTesla Trojan connects to a command-and-control server to receive additional instructions from scammers. Malware usually gets access in the AppData folder that contains settings, files, and data for applications Windows. It will then try to load the missing "dynamic link links" and download additional files to remove the stolen information from the AppData folder. Scammers try to collect as much data as possible from the devices they violate. Data that can be collected through AgentTesla Trojan includes configuration data as well as credentials from web browsers, email, VPN and FTP. But because AgentTesla is a Remote Access Trojan, it exposes the affected devices to other, and possibly more harmful, attacks.

While AgentTesla Trojan has appeared in BEC scams from Nigeria, security company Bitdefender said in April that the malware had also been used in a series of attacks targeting the global oil and gas industry. Also in April, researchers at Palo Alto Networks' Unit 42 noticed a significant increase in COVID-19 phishing emails, which attempted to develop the Trojan in a wide range of industries.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Pohackontas
Pohackontashttps://www.secnews.gr
Every accomplishment starts with the decision to try.

LIVE NEWS

How to choose which extensions will appear in the Edge toolbar

Extensions to Microsoft Edge can make your browser more useful. But sometimes you may not like it ...

COVID-19 vaccines: North Korea hacks drugs

South Korea, to be precise, its intelligence service, has thwarted North Korea's efforts to invade South Korean companies ...

Drupal: Security updates to deal with exploits

The developers of the Drupal content management system (CMS) have released emergency security updates due to the availability of some exploits, which can put in ...

How to disable "Get even more out of Windows" in Windows 10

Does it bother you that "Get even more out of Windows" appears every time you update to Windows 10? May be...

The US military is investigating "telepathic" communication technology

The U.S. Army Research Bureau is funding a new study on how brain signals could ...

Canon acknowledged the ransomware attack in August

About three months later, Canon publicly confirmed the ransomware attack it suffered in early August, which affected servers ...

Hackers love expired domains

Sometimes, website owners do not want to continue to have a domain name and allow it to ...

Word: How to add the same text to multiple documents with one link

Microsoft Word makes it easy to add the same text to multiple documents. This is especially convenient for text with special formatting, the ...

Black Friday: Cybercriminals are monitoring your shopping

Due to the conditions that have emerged from the pandemic of COVID-19, the online shopping will be particularly high on Black Friday and ...

US fertility: Ransomware attack on the largest fertility network in the USA!

US Fertility, the largest fertility network in the US, announced that some of its systems were encrypted in an ransomware attack that ...