Check Point analysts have prepared a Global Threat Index report for April this year. They note that several coronavirus-related spam campaigns (COVID-19) are distributing a new, improved version of the Agent Tesla Trojan.
In total, it attacked approximately 3% of organizations worldwide.
As we recently wrote, according to GROUP-IB study, Agent Tesla topped the malware rating, which actively uses the COVID-19 theme.
Agent Tesla is an advanced RAT, so it is a remote access trojan, known to information security experts since 2014. During this time, malware was noticed, for example, in attacks on oil and gas companies.
The virus program is written in .Net and is able to track and collect input data from the victim’s keyboard, from the clipboard, take screenshots and extract credentials related to various programs installed on the victim’s computer (including Google Chrome, Mozilla Firefox and Microsoft Outlook). Malware can disable antivirus solutions and processes that try to analyze it and, therefore, interfere with its operation.
A new version of Agent Tesla has been modified to steal Wi-Fi passwords. Also, the Trojan can extract email credentials from an Outlook client”, – say the researchers.
In April 2020, Agent Tesla was noticed in several malicious campaigns related to COVID-19. Such spam mailings try to catch the victim by proposing allegedly important pandemic information so that they download malicious files.
One the spam campaigns was allegedly conducted on behalf of The World Health Organization, with the following topics purportedly sent during the campaign: URGENT INFORMATION LETTER: FIRST HUMAN COVID19 VACCINETEST/RESULT UPDATE –– “URGENT NOTIFICATION: FIRST TEST OF VACCINE FROM COVID-19 FOR RESEARCH AND RESEARCH.” This once again emphasizes that hackers use the latest news in the world and exploit fear of the population to increase effectiveness of their attacks.
The spam campaigns with Agent Tesla that we noted all April show how well cybercriminals fit into the information agenda and how easily they trick unsuspecting victims”, — says Vasily Diaghilev, head of Check Point Software Technologies, — Criminals now are focused on organizing phishing attacks to steal users’ personal and corporate data. Therefore, it is very important for any organization regularly train its employees, regularly informing them of the latest tools and methods of criminals. Now this is especially true, since most of the companies transferred their employees to the remote mode”.
In the last month, Dridex banker affected 4% of organizations worldwide, while XMRig and Agent Tesla affected 4% and 3%, respectively. As a result, the TOP-3 of the most active malware in April 2020 was the follows:
- Dridex — a banking Trojan that infects Windows. It is distributed through spam mailings and exploit kits that use web-based agents to intercept personal data, as well as information about users’ bankcards.
- XMRig — open source software, first discovered in May 2017. Used for mining of Monero An improved version of Agent Tesla spread through spam in April
- Agent Tesla — Advanced Remote Access Trojan (RAT). AgentTesla has been infecting computers since 2014, acting as a keylogger and password stealer.
In May, the list of the most active mobile threats remained virtually unchanged: the xHelper malware kept the first place in the list of the most common mobile threats, followed by AndroidBauts and Lotoor.