One Word document steals passwords, data, cryptocurrency

Researchers from Fortinet Fortiguard Labs have uncovered a complex phishing campaign that utilizes a malicious Word document to spread three different types of malware: Agent Tesla, Originbotnet, and Redline Clipper. These programs are designed to gather various forms of data from Windows computers.

The phishing email includes an attachment in the form of a Word document, where the image is deliberately blurred and a fake captcha is integrated to prompt user interaction.

Clicking on the image triggers the delivery of a remote server’s bootloader, which sequentially installs Originbotnet for keystroke monitoring and password theft, Redline Clipper for stealing cryptocurrencies, and Agent Tesla for extracting confidential information.

Interestingly, the .NET bootloader developed on the .NET platform uses the binary filling method, adding empty bytes to increase the file size in order to evade security measures. The activation of the bootloader triggers a multi-level process that establishes a constant presence on the infected machine and activates a DLL library that is responsible for the final malicious programs:

  • Redline Clipper – designed to steal cryptocurrencies by replacing the wallet address in the exchange buffer with the attacker’s address.
  • Agent Tesla – an infostealer that operates on the .NET platform. It is primarily used for system infiltration and the theft of sensitive information, ranging from keystrokes to browser account data.
  • Originbotnet – a new malware that demonstrates significant functionality. It is capable of establishing a connection with a C2 server and includes a built-in password recovery plugin that collects and organizes account data from various programs and browsers, sending them to the server through HTTP posts.

The Palo Alto Networks Unit 42 team discovered in September 2022 that a successor to Agent Tesla, called Originlogger, shares similar functions with Originbotnet, suggesting the involvement of the same attacker or group.

This newly detected campaign showcases a complex and sophisticated chain of actions, starting from the distribution of the infected Word document and culminating in the activation of the malicious programs. This demonstrates the high level of expertise possessed by the attackers in bypassing security systems and taking control of their victims’ computers.

/Reports, release notes, official announcements.