Medical Suppliers Targeted With Agent Tesla Infostealer

iStock-1213501588Researchers at Fortinet have identified a spear phishing campaign targeting medical suppliers with COVID-19-themed emails. The emails contain choppy grammar, but the message is clear enough that an employee might be induced to open the malicious attachment.

“Good Morning!” the email states. “I tried calling earlier but no one was on the phone, so I resulted in getting email contact from your corporate business website....With respect to the global COVID-19 pandemic, we would like to inquire for a quite bulky list of pharmaceuticals and medical devices to cope with current high demand. Please include detailing as organised in Word Document and revert us with shipping and payment terms as well.”

The email used in this campaign contains some glaring typos that may have tipped off observant recipients. The email’s subject line refers to “Medical Sipplies,” and the title of the attachment is “Meducal Inquiry.” The attackers also exhibited poor operational security, allowing Fortinet to tie them to an earlier 419 scam campaign.

Fortinet notes, however, that the attachments deliver the Agent Tesla infostealer, a popular remote access Trojan sold on the black market.  The researchers say this highlights a trend in which unsophisticated attackers are able to up their game by purchasing malware from more advanced criminals.

“Since security professionals have been conditioned to spot 419 scams, the individuals behind them have realized that they must evolve in order to expand their reach,” the researchers explain. “Because of the availability and ease of use of commodity malware, we have observed these attackers becoming a little more sophisticated by their use of Agent Tesla, as well as the use of other known commodity tools to make their plans a little less obvious.” A 419 scam is an advance-fee scam, also known as a “Nigerian Prince” scam. The number 419 refers to the section of the Nigerian crimianl code that outlaws this particular form of fraud.

“Sipplies” and “Meducal” are obvious misspellings, but it’s worth noting that many phishing emails don’t contain any grammatical errors or misspellings, so employees need to follow some security best practices to avoid falling for these attacks. In addition to implementing technical defenses, Fortinet recommends employee training as an essential layer of defense.

“Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks,” the researchers write. “Employees should also be reminded to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Further, because of its manner of distribution, it is crucial that end users are educated to spot social engineering attacks by training, and through the delivery of impromptu tests via email sent surreptitiously from the security team.”

New-school security awareness training can teach your employees to recognize the warning signs of social engineering, as well as educating them about the various tactics used to install malware.

Fortinet has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews