There is a recent Agent Tesla phishing campaign themed around COVID-19 vaccination. The body of the email messages take a business-like approach and ask recipients to review an “issue” with vaccination registration. This campaign is spreading the most recent variant of Agent Tesla, a Bitdefender spokesperson told Threatpost. The Agent Tesla RAT has been around for at least seven years, beginning its run mostly as a password-stealer. However, new variants have recently emerged with new modules for better evading detection and improved data theft, and it’s used frequently in phishing campaigns seeking to install other malware and steal not just user credentials but also other sensitive information. “The updated password-stealing capabilities and security-dodging techniques paired with the malware distribution-as-a-service business model have proven highly profitable,” according to the spokesperson. In the current campaign, the malicious attachment turns out to be a .RTF document that exploits the known Microsoft Office vulnerability tracked as CVE-2017-11882, a remote code-execution (RCE) bug stemming from improper memory handling. Once opened, the document downloads and executes Agent Tesla malware.
The best way to protect against phishing campaigns is training and awareness, combined with a good email threat filtering system to keep known threats from reaching employee inboxes. Teaching employees how to spot a phishing email can be a great defense when the automated filtering fails to identify a threat. Identifying suspicious URLs or email addresses or knowing when an attachment may be malicious can prevent an attack brought on by a phishing email. Spelling and grammar errors are also common in phishing scams as are suspicious links and mismatched domain names. If an email claims to be from a reputable company but the email came from a separate domain, it is likely a scam. Phishing often uses pretexts that create a sense of urgency where users will ignore their suspicions and open a malicious document or click on a malicious link. It is best to use endpoint monitoring to find suspicious files that were downloaded and executed. Multi-factor authentication also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack after they have compromised employee passwords. Companies should also utilize a service such as Binary Defense’s Managed Detection and Response service to monitor endpoints for any abnormal activity and identify attacks early before they can cause damage.