COVID-19 Vaccination Lure Used in Phishing Campaign Distributing the Agent Tesla RAT

A new phishing campaign has been detected that is being used to distribute the Agent Tesla Remote Access Trojan (RAT). The phishing campaign was identified by researchers at Bitdefender’s Antispam lab and uses a COVID-19 vaccine lure to trick users into installing the malware.

The Agent Tesla RAT has multiple functions, although it is primarily used to steal passwords and other sensitive information. The latest version of the malware includes new modules that allow it to evade security solutions and exfiltrate sensitive information without being detected.

The messages used to distribute the malware are fairly simple and target business users. The messages claim there has been a problem with the user’s vaccination registration due to a previous circular having technical issues with the registration link. The user is required to view an attachment – an .RTF document to complete the registration process.

The .RTF file contains malicious code that attempts to exploit an old Microsoft Office remote code execution vulnerability tracked as CVE-2017-11882. If the document is opened and the device has not been patched against the vulnerability, Agent Tesla will be downloaded and executed. Once executed, Agent Tesla gathers information from the victim’s system, including stored credentials and other sensitive information, and sends the data to the attackers’ email account via the SMTP protocol.

According to Bitdefender’s telemetry, the phishing campaign is being conducted globally, although around half of the malicious emails have targeted organizations in South Korea. The emails appear to be targeting countries that are about to undergo an expansion of their vaccination program.

This campaign shows COVID-19 themed phishing campaigns still pose a threat and are likely to continue to be conducted until the pandemic is finally brought under control. If basic cybersecurity best practices are followed, the threat can easily be mitigated.

An advanced spam filtering solution should be implemented to block the threat at the email gateway. Security awareness training should also be provided to the workforce to train employees how to identify potentially malicious emails and condition them not to click links in unsolicited emails or open attachments from unknown senders. Businesses should also configure their endpoints not to run macros automatically, and antivirus software should be used on all endpoints and be kept up to date.

Businesses should also ensure that Microsoft Office is patched and kept up to date. CVE-2017-11882 is one of the most commonly exploited vulnerabilities according to Bitdefender. While the flaw is old, many businesses are slow to update Microsoft Office. Vulnerabilities in Windows are fixed, but oftentimes Office is not patched. Many businesses also continue to use outdated office versions, including versions that have reached end-of-life and are no longer supported. That makes vulnerabilities such as this attractive to cybercriminals.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of