A sophisticated phishing campaign uses a Microsoft Word document lure to distribute a trio of threats, namely Agent Tesla, OriginBotnet, and OriginBotnet, to collect a wide range of information from compromised Windows machines.
“A phishing email transmits the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to trick the recipient into clicking on it,” said Cara Lin, a researcher at Fortinet FortiGuard Labs. said.
Clicking on the image results in the delivery of a loader from a remote server which, in turn, is designed to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for password theft cryptocurrency and Agent Tesla for collecting sensitive information.
The loader, written in .NET, uses a technique called binary padding by adding null bytes to increase the file size to 400 MB in an attempt to evade detection by security software.
Enabling the loader triggers a multi-step process to establish persistence on the host and fetch a dynamic link library (DLL) responsible for releasing the final payloads.
One of them is RedLine Clipper, a .NET executable for stealing cryptocurrencies by altering the user’s system clipboard to replace the destination wallet address with one controlled by the attacker.
“To carry out this operation, RedLine Clipper uses the ‘OnClipboardChangeEventHandler“to regularly monitor clipboard changes and check whether the copied string conforms to the regular expression,” Lin said.
Agent Teslaon the other hand, is a .NET-based Remote Access Trojan (RAT) and data stealer to gain initial access and exfiltrate sensitive information such as keystrokes and information connection used in web browsers to a command and control (C2) server. via the SMTP protocol.
Also delivered is a new malware dubbed OriginBotnet, which integrates a wide range of functionality to collect data, establish communications with its C2 server, and download additional plugins from the server to perform keylogging or data recovery functions. password on compromised endpoints.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
“The PasswordRecovery plugin retrieves and organizes credentials from various browser and software accounts,” Lin said. “It records these results and reports them via HTTP POST requests.”
It is worth noting that in September 2022, Palo Alto Networks Unit 42 detailed a successor to Agent Tesla called OriginLogger, with similar functionality to OriginBotnet, suggesting that they could both be the work of the same threatening actor.
“This cyberattack campaign … involved a complex chain of events,” Fortinet said. “It started with a malicious Word document distributed via phishing emails, tricking victims into downloading a loader that executed a series of malware payloads. The attack demonstrated sophisticated techniques to evade detection and maintain persistence on compromised systems.”