HQ/EMEAFind out how we can help your business
A new phishing campaign spreads multiple malware strains to execute and steal troves of data. Based on reports, the recent campaign includes OriginBotnet for keylogging and password recovery, RedLine Clipper for crypto heists, and Agent Tesla for stealing sensitive information.
The phishing emails in this new cybercriminal operation leverage a malicious Word document that contains blurred images and fake reCAPTCHA to bait recipients into accessing the file. However, the actors include a malicious link in the Word document.
Next, the malware loader goes through several stages, such as decoding resource data, establishing persistence, decrypting a Powershell command, duplicating files for automatic startup, retrieving methods from decrypted DLLs, and activating the execution process of additional files.
Moreover, the loader utilises a binary padding evasion tactic that attaches null bytes to make the file look bigger and reach around 400 MB.
The RedLine Clipper, OriginBotnet, and Agent Tesla have various but connected roles in the newly discovered phishing campaign.
The actors used the RedLine Clipper stealer to steal crypto assets by replacing the target’s system clipboard activities with the wallet address controlled by them. The confirmed cryptocurrencies compromised by the attack are Bitcoin, Dogecoin, Dashcoin, Litecoin, Monero, and Ethereum.
On the other hand, the OriginBotnet scans for running processes to identify if the network is active within the environment. Next, it harvests sensitive information, establishes C2 servers, and downloads additional payloads to run keylogging and password recovery protocol on infected devices.
The sensitive data harvested from the victim’s device store details, such as CPU, GPU, country, OS name, username, and AntiVirus product installed in the machine.
Furthermore, the password recovery function employed by this campaign could target numerous browsers and software apps, like Yandex, Chrome, Outlook, FileZilla, FlashFXP, NordVPN, SmartFTP, and Discord.
This new cybercriminal operation involves an intricate series of malicious capabilities that ultimately cause the execution of three malware payloads. Hence, this attack demonstrates threat actors’ sophisticated techniques to bypass detection and maintain persistence on compromised systems.
Organisations should initially deploy a robust email security solution and an IDR to mitigate such threats and stay safe from such attacks.
