Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
One file delivers 3 malware and a lot of problems.
Researchers at Fortinet FortiGuard Labs have identified a sophisticated phishing campaign that uses a Microsoft Word decoy document to spread three different types of malware-Agent Tesla, OriginBotnet, and RedLine Clipper. Programs can collect a wide range of data from computers running Windows.
The phishing email comes with an attachment in the form of a Word document, in which the image is specially blurred and a fake reCAPTCHA is integrated to provoke the user to interact.
Contents of a malicious document
When you click on an image, the loader is delivered from a remote server. The bootloader then sequentially installs OriginBotnet to monitor keystrokes (keylogging) and password theft, RedLine Clipper to steal cryptocurrencies, and Agent Tesla to extract confidential information.
Interestingly, the loader developed on the platform .NET, uses a binary padding technique, adding "empty" bytes to increase the file size to 400 MB to circumvent security concerns. Activating the boot loader starts a multi-level process that establishes a permanent presence on the infected machine and activates the DLL library responsible for the final activation of malware:
The Palo Alto Networks Unit 42 team found in September 2022 that the successor to Tesla's Agent, called OriginLogger, has similar features to OriginBotnet, which may indicate the involvement of the same attacker or group.
The detected campaign demonstrates a complex and sophisticated chain of actions, starting from the distribution of an infected Word document and ending with the activation of malicious programs. This approach emphasizes the advanced level of competence of attackers in circumventing security systems and establishing control over victims ' computers.
Researchers at Fortinet FortiGuard Labs have identified a sophisticated phishing campaign that uses a Microsoft Word decoy document to spread three different types of malware-Agent Tesla, OriginBotnet, and RedLine Clipper. Programs can collect a wide range of data from computers running Windows.
The phishing email comes with an attachment in the form of a Word document, in which the image is specially blurred and a fake reCAPTCHA is integrated to provoke the user to interact.
Contents of a malicious document
When you click on an image, the loader is delivered from a remote server. The bootloader then sequentially installs OriginBotnet to monitor keystrokes (keylogging) and password theft, RedLine Clipper to steal cryptocurrencies, and Agent Tesla to extract confidential information.
Interestingly, the loader developed on the platform .NET, uses a binary padding technique, adding "empty" bytes to increase the file size to 400 MB to circumvent security concerns. Activating the boot loader starts a multi-level process that establishes a permanent presence on the infected machine and activates the DLL library responsible for the final activation of malware:
- RedLine Clipper-designed to steal cryptocurrencies by replacing the wallet address in the clipboard with the attacker's address.
- Agent Tesla-an infostealer running on. NET. It is used for initial penetration into the system and exfiltration of sensitive information-from keystrokes to web browser credentials.
- OriginBotnet-the new malware is quite functional and is able to establish communication with the C2 server. In addition, the built-in password recovery plugin (PasswordRecovery) collects and organizes credentials from various programs and browsers, sending them to the server via HTTP POST requests.
The Palo Alto Networks Unit 42 team found in September 2022 that the successor to Tesla's Agent, called OriginLogger, has similar features to OriginBotnet, which may indicate the involvement of the same attacker or group.
The detected campaign demonstrates a complex and sophisticated chain of actions, starting from the distribution of an infected Word document and ending with the activation of malicious programs. This approach emphasizes the advanced level of competence of attackers in circumventing security systems and establishing control over victims ' computers.
