COVID-19 , Fraud Management & Cybercrime , Fraud Risk Management

COVID-19 Phishing Scheme Spreads AgentTesla Trojan

Fake Messages Offer Surgical Masks and Other PPE
COVID-19 Phishing Scheme Spreads AgentTesla Trojan
Phishing emails use personal protective equipment, such as surgical masks, as a lure. (Source: Area 1 Security)

A global phishing campaign that purports to offer information about surgical masks and other personal protective equipment for use during the COVID-19 pandemic is infecting victims’ devices with the AgentTesla remote access Trojan, according to researchers at Area 1 Security.

The campaign, which appears to have started in May, uses phishing emails that spoof messages from chemical manufacturers as well as import/export businesses, preying on fears of shortages of face masks and forehead thermometers during the pandemic, according to the report.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The fraudsters apparently are switching their tactics, techniques and procedures every 10 days, tweaking the messages and spoofed domains to avoid detection, according to the report.

These phishing emails appear to have targeted "thousands" of inboxes, although the rate of attack has slowed since Aug. 13, which could mean the fraudsters are taking a break to revamp their strategies once again, says Juliette Cash, a principal threat researcher with Area 1 Security.

"Companies affected by this campaign span the globe, covering numerous industry verticals, including U.S. companies that also happen to be international corporations," Cash tells Information Security Media Group. "In some cases, we've seen the campaign target past and present executives of Fortune 500 companies, including global security directors. Overall, however, we believe the attackers have taken more of a shotgun approach."

The goal of these phishing emails is to infect devices with AgentTesla, a one-time information stealer that has been revamped as a full-fledge remote access Trojan, or RAT. Since the start of the COVID-19 pandemic, this malware has grown popular with fraudsters and cybercriminals because of its ability to avoid detection as well as its low licensing fees on underground forums that make it affordable to rent and deploy (see: Beware: AgentTesla Infostealer Now More Powerful).

Phishing Campaign

The phishing campaign spoofs legitimate companies advertising face masks as well as other medical supplies related to COVID-19. In one instance, the fraudsters imitated Transchem Inc. - a chemical supplier, according to the report. The messages also sometimes use the names of actual employees to add another layer of legitimacy.

During the campaign, the fraudsters rotate IP addresses to help bypass some security protections and also take advantage of misconfigured email authentication protocols such as Domain-based Message Authentication, Reporting and Conformance - or DMARC - as well as the DomainKeys Identified Mail and Sender Policy Framework in order to deliver the malicious messages to inboxes, according to the report.

The phishing emails contain an attached document that is disguised to look like a PDF file and is typically named: "Supplier-Face Mask Forehead Thermometer.pdf.gz," according to the report. If the file is opened and unzipped, macros are enabled and the AgentTesla malware is downloaded to the compromised device.


Once downloaded onto a device, the AgentTesla Trojan will connect with a command-and-control server to receive additional instructions from the fraudsters, according to the report. The malware typically gains access to the AppData folder that contains settings, files and data for Windows applications.

AgentTesla user interface (Source: Area 1 Security)

"The malware will attempt to load missing [Dynamic Link Libraries] and download additional files in order to exfiltrate stolen information from the AppData folder," the report states.

The fraudsters are attempting to harvest as much data as possible from compromised devices, Cash says.

"From our analysis, we concluded that the malware can harvest configuration data as well as credentials from a number of web browsers, email, FTP and VPN clients," Cash says. "However, because the malware is a remote access Trojan, this leaves victim devices open to further, and possibly more damaging, attacks."

Security researchers first spotted AgentTesla in 2014. The Trojan is now available for rent on various underground forums for prices ranging from $12 for a monthly rental to $35 for a six-month lease, according to a report from Sentinal Labs released earlier this month.

While the malware has appeared in business email compromise scams that originate from Nigeria, security firm Bitdefender reported in April that the AgentTesla Trojan has also been used in a series of attacks that targeted the global oil and gas industry (see: Attackers Target Oil and Gas Industry With AgentTesla).

Also in April, researchers at Palo Alto Networks' Unit 42 found an increase in COVID-19-themed phishing emails that attempted to deploy AgentTesla across a wide range of industries (see: Fresh COVID-19 Phishing Scams Try to Spread Malware: Report).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.