A highly sophisticated phishing campaign has emerged, employing an intricately crafted Microsoft Word document as bait to deliver a trio of malicious threats: Agent Tesla, RedLine Clipper, and OriginBotnet.
Researchers from Fortinet FortiGuard Labs have discovered that this campaign begins with phishing emails that include the Word document as an attachment. This document entices recipients with a deliberately blurred image and a counterfeit reCAPTCHA, all designed to encourage them to click.
Upon clicking, a loader is delivered from a remote server, initiating a multi-stage process to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive data.
The loader, written in .NET, employs a technique called binary padding by adding null bytes, expanding the file size to 400 MB, in an attempt to evade detection by security software. Once activated, it establishes persistence on the host and extracts a dynamic-link library (DLL) responsible for deploying the final payloads. Among these payloads is RedLine Clipper, a .NET executable that targets cryptocurrency theft by manipulating the user’s system clipboard to replace destination wallet addresses with those controlled by the attacker.
Agent Tesla, a .NET-based remote access trojan (RAT) and data-stealing tool, is also part of the attack, enabling initial access and exfiltration of sensitive data, including keystrokes and login credentials, to a command-and-control (C2) server via SMTP protocol.
Additionally, the campaign introduces a new malware called OriginBotnet, equipped with a range of features for data collection, communication with its C2 server, and downloading supplementary plugins for keylogging or password recovery.
This multifaceted cyberattack campaign showcases advanced evasion techniques and underscores the need for heightened cybersecurity measures to protect against such threats.
