Improved Agent Tesla Spread Through Spam in April

Check Point experts have arranged a Global Threat Index report for April this year. They note that few coronavirus-related spam crusades (COVID-19) are circulating another, changed variant of the Agent Tesla Trojan. Altogether, he assaulted around 3% of associations around the world. 

Agent Tesla is an advanced RAT, that is, a remote access trojan known to information security experts since 2014. The malicious program is written in .Net and is able to track and collect input from the victim’s keyboard, from the clipboard, take screenshots and retrieve credentials related to various programs installed on the victim’s computer (including Google Chrome, Mozilla Firefox and Microsoft Outlook). Malware can disable antivirus solutions and processes that try to analyse it and interfere with its operation. 

Specialists state that the new form of Agent Tesla has been adjusted to take Wi-Fi passwords. Additionally, the trojan can extricate email certifications from an Outlook customer. 

In April 2020, Agent Tesla was often seen in several malicious campaigns related to COVID-19. Such spam mailings try to interest the victim in allegedly important pandemic information, so that they download malicious files. 

One of these campaigns was purportedly sent by the World Health Organisation with the following topics: URGENT INFORMATION LETTER: FIRST HUMAN COVID19 VACCINETEST / RESULT UPDATE –– “URGENT NOTIFICATION: FIRST TEST OF VACCINE FROM COVID-19 FOR RESEARCH AND RESEARCH.” This once again emphasises that hackers use the latest developments in the world and the fear of the population to increase the effectiveness of their attacks. 

“The spam campaigns with Agent Tesla that we watched throughout April show how well cybercriminals fit into the information agenda and how quietly they trick unsuspecting victims,” says Vasily Diaghilev, head of Check Point Software Technologies in Russia and the CIS. - In Russia, Emotet, RigEK, XMRig were in the top three — criminals are focused on organising phishing attacks to steal users' personal and corporate data. Therefore, it is very important for any organisation to regularly train its employees, regularly informing them of the latest tools and methods of criminals. Now this is especially true, since most of the companies transferred their employees to the remote mode. ” 

This month, Dridex broker influenced 4% of associations around the world, while XMRig and Agent Tesla influenced 4% and 3%, individually. Subsequently, the TOP-3 of the most dynamic malware in April 2020 is as per the following: 

Dridex is a banking Trojan that infects Windows. It is distributed through spam mailings and exploit kits that use web-based agents to intercept personal data, as well as information about users' bank cards. 

XMRig is open source software, first discovered in May 2017. Used for mining cryptocurrency Monero; 

Agent Tesla - Advanced Remote Access Trojan (RAT). AgentTesla has been infecting computers since 2014, acting as a keylogger and password stealer. 

The list of the most active malware in Russia, as usual, differs from the world, it includes: 

Emotet  is an advanced self-propagating modular trojan. It was once an ordinary banker, but recently it has been used to spread malware and campaigns. New functionality allows you to send phishing emails containing malicious attachments or links. 

RigEK  –– a set of exploits, contains exploits for Internet Explorer, Flash, Java and Silverlight. The infection begins by redirecting the victim to a landing page containing a Java script that then looks for vulnerabilities and tries to exploit the problem. 

XMRig  is open source software, first discovered in May 2017. Used for mining cryptocurrency Monero.