The agent Tesla remote access trojan is back with a vengeance, sniffing around the Internet again. This time, its phishing campaign is based on fake alerts about a COVID-19 vaccination schedule.
Researchers at the Bitdefender Antispam Lab say the emails are targeted at individuals who have not yet registered for vaccinations. The recipients are asked to review an “issue” with vaccination registration. The emails contain malicious attachments spreading the latest variant of Agent Tesla, a spokesperson for Bitdefender said.
The Agent Tesla RAT has been used mostly to steal passwords but has added new modules for more effective evading detection and better data theft. It’s become more effective at detecting and phishing for sensitive information, researchers said.
“The updated password-stealing capabilities and security-dodging techniques paired with the malware distribution-as-a-service business model have proven highly profitable,” according to the Bitdefender spokesperson.
The malicious attachment that’s been hitting the victims lately is a .RTF document that exploits a known Microsoft Office vulnerability tracked as CVE-2017-11882. This bug can be exploited by remote actors to perform a remote code-execution (RCE) attack.
“According to a joint CISA and FBI advisory, CVE-2017-11882 was among the most exploited software vulnerabilities between 2016 and 2019,” according to Bitdefender’s post on Friday. “So it seems that bad actors are still hunting for outdated and unpatched software that can easily be compromised.”
The attached document downloads and executes Agent Tesla malware once opened. Tesla collects information from the victim’s system and hoovers up sensitive data.
Researchers said that this method sends the victim’s credentials to an attackers’ email account that’s been registered in advance via the SMTP protocol.