HC3 Analyst Note TLP White: PPE-Themed Phishing Campaign Exploits COVID Shortages to Spread Malware

August 27, 2020

A new phishing campaign is using COVID-19 personal protective equipment (PPE)-themed lures to spread Agent Tesla malware. This difficult-to-detect remote access Trojan (RAT) provides attackers with a dashboard to monitor the malware’s keylogging and information stealing capabilities. The sophisticated malware campaign uses a 10-day cycle of rotated IP addresses and malware hashes to evade detection and increase the chances that a victim downloads and executes the malware. While the attackers have used a similar email body text throughout the campaign, the phishing emails imitate employees at actual chemical manufacture and import/export companies. Organizations should train their employees to avoid opening and executing email attachments and immediately scan any devices suspected to be infected.