Rewterz Threat Alert – Face Mask Manufacturer Lure Delivers Agent Tesla Malware

Severity

Medium

Analysis Summary

Researchers have published their analysis of a COVID-19 themed email campaign. The email subject and body are related to the sale of face masks and thermometers, which were in short supply earlier this year. The body includes the company logo and details for a legitimate chemical manufacturer or import/export business. Along with changing the spoofed company, the attackers also rotated the sender IP address and attachment hash to avoid systems detecting known malicious indicators. Attached to these emails was a GZ archive masquerading as a PDF that supposedly contains details on ordering face masks. Contained within the archive is an executable file that, upon execution, installs the Agent Tesla RAT. After initial check in with the C2 server, it waits to receive commands to be executed on the victim host. One of the main functionalities of Agent Tesla is the ability to steal passwords from various applications. Gathered credentials and other sensitive information are then exfiltrated to the C2 server via SMTP.

Impact

• Credential theft
• Exposure of sensitive data 

Indicators of Compromise

Filename

• Supplier-Face Mask Forehead Thermometer[.]pdf[.]gz
• Supplier-Face Mask Forehead Thermometer[.]pdf[.]exe

IP

• 209[.]58[.]149[.]65
• 203[.]188[.]252[.]14
• 185[.]66[.]40[.]36
• 50[.]28[.]40[.]153
• 62[.]210[.]83[.]136
• 72[.]32[.]232[.]136
• 95[.]216[.]16[.]146
• 209[.]58[.]149[.]66
• 89[.]33[.]246[.]113
• 178[.]239[.]161[.]164
• 156[.]96[.]47[.]65
• 209[.]58[.]149[.]69
• 95[.]211[.]208[.]50
• 209[.]58[.]149[.]87
• 37[.]48[.]85[.]232
• 208[.]91[.]199[.]224

MD5

• fdfaaf9efb8507262ee9b97324bbb69a
• 64bc654373549584f7e596de24e1d8cc

SHA-256

• b419849ce915ede72fda1ea0b566651e233ef5eaffbf8b9211bd44085407ad5e
• 53445247552485c277400bafba84458670f0c1001c91b4f0bcc15935c12d662b

SHA1

• 846da85a2f2e6e79ebc7ed84b00ed97af513c80f
• 6a39bd3ddaa2c9846e2a4912a80fd718eaee622f

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.