An unsophisticated campaign has been discovered to be spreading Agent Tesla RAT. It is a phishing campaign that used COVID-19 vaccination schedules as a lure. It focuses on the communications that organizations have with their employees.
Most of the attacks originated from IP addresses in Vietnam. Moreover, a global dispersion of the malspam campaign was observed, in which 50% of the malicious emails were aimed at South Korea.
The messages in emails look like a business email asking the recipients to go over some technical issues presented in the attachment and register for the vaccine.
The malicious attachment is an RTF document that exploits the known Microsoft Office vulnerability identified as CVE-2017-11882, an RCE flaw.
This campaign is spreading the most recent variant of Agent Tesla, which was updated with new modules for better detection evasion and data theft capabilities.
Additional insights
Most of the malicious emails landed in South Korea (50%), followed by 6% in the U.S., 5% each in the Czech Republic and Germany, and 3% each in Italy and the U.K. The campaign had 1,000 hits in Bitdefender’s telemetry.
With 50% of malicious emails targeting South Korea, the attackers are likely to be monitoring local news about the vaccination campaign and anticipated shipment of 14 million doses of vaccine in the country.
This type of tailored approach is a shift away from the broader messaging observed in early pandemic-themed phishing.
Conclusion
The attackers behind this recent campaign are not very sophisticated, however, it shows the success of COVID-19 as a lure. It indicates that existing vaccination campaigns and COVID-19 are being exploited by cybercriminals, and users need to stay alert while receiving emails from unknown senders.