FortiGuard Labs recently discovered an email phishing attack that tricks people into downloading a malware loader. The loader’s payloads include OriginBotnet (for keylogging and password recovery), RedLine Clipper (a cryptocurrency stealer), and AgentTesla (to harvest sensitive information).
Modus operandi
The phishing email includes a malicious Word document containing a blurred image and fake reCAPTCHA to lure the recipient into clicking on it, which in turn activates a malicious link embedded in a Word document.
- The malware loader then goes through multiple stages, including decoding resource data, establishing persistence, decrypting a PowerShell command, duplicating files for automatic startup, invoking methods from decrypted DLLs, and triggering the execution of additional files.
- This loader uses a binary padding evasion technique that adds null bytes to make the file look bigger, around 400 MB.
RedLine Clipper
- RedLine Clipper (aka ClipBanker) is specifically designed to steal cryptocurrencies by replacing the user’s system clipboard activities with the wallet address under the control of attackers.
- The stolen cryptocurrencies include Bitcoin Ethereum, Dogecoin, Litecoin, Dashcoin, and Monero.
OriginBotnet
- Upon execution, OriginBotnet scans running processes to determine if it is active within the environment.
- Subsequently, it collects sensitive data, establishes communications with C2 servers, and downloads additional files to execute keylogging and password recovery functions on compromised devices.
- The sensitive data collected contains the victim’s device details such as installed AntiVirus Product, CPU, GPU, country, OS name, and username.
- Besides, the password recovery function executed on compromised systems targets a wide range of browsers and software applications such as Chromium, Yandex, Chrome, Outlook, SmartFTP, FileZilla, FlashFXP, NordVPN, and Discord.
Conclusion
The attack involves a complex chain of events that ultimately causes the execution of three payloads in a series. This demonstrates the sophistication of techniques to evade detection and maintain persistence on compromised systems. To stay safe, it is recommended to deploy a robust email security solution and an IDR to thwart such threats in the initial stage.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0bbd_shutterstock_2129487698.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/88e6_shutterstock_721814395.jpg)
