The malware known as OriginLogger has lately been dissected in element by safety specialists from Palo Alto Networks Unit 42. It’s believed that OriginLogger is destined to interchange Agent Tesla, and it is a broadly used info-stealer and RAT.
Tesla is a keylogger and distant entry device that’s based mostly on .NET. This malware permits its operators quick access to focus on techniques remotely and sends delicate knowledge to a C2 managed by the actor.
It has been out there on the market on darkish net boards since 2014 and is understood to have been used within the wild since then. Malicious spam emails with attachments are usually used to distribute this virus.
OriginLogger
The commodity malware (variations 2, 3) was disclosed by cybersecurity agency Sophos in February 2021. These variations featured capabilities to steal credentials from:-
- Net browsers
- E-mail apps
- VPN purchasers
- Telegram
A declare is being made that model 3 of Agent Tesla is definitely OriginLogger, and that’s based mostly on some data.
A YouTube video detailing the options of the cybersecurity agency that was posted in November 2018 is the place to begin of the cybersecurity agency’s investigation.
Consequently, the VirusTotal malware database was looked for a malware pattern that was uploaded on Might 17, 2022 entitled OriginLogger.exe and that was within the possession of VirusTotal.
OriginLogger Options
As a builder binary, the executable gives prospects with the next options as a part of its performance:-
- Multi-Language Assist
- 3 Completely different Supply: PHP, SMTP, and FTP
- Keylogger
- Coloured Log
- Screenshot Logger
- Multi File Binder
- Clipboard Logger
- SmartLogger
- Password Restoration
- Net Panel
- 7/24 Assist
- Faux Message
- Autobuy
- Secure and Quick
- Pure Code
- All Home windows OS Supported
- UAC Bypass: Win 7/8/10
- Meeting & Icon Possibility
As a part of the authentication course of, a request is shipped to the OriginLogger server so as to confirm the id of the consumer. The next domains resolve to the next addresses:-
- 0xfd3[.]com
- originpro[.]me
On account of the investigation by Unit 42, a GitHub profile with the username 0xfd3 was recognized. Through the course of the investigation, it has been detected that two supply code repositories have been hosted by this profile. Whereas they’re used for stealing passwords from the next platforms by exploiting OrionLogger:-
- Google Chrome
- Microsoft Outlook
A decoy Microsoft Phrase doc is used to ship OrionLogger to victims, simply as Agent Tesla does. The doc comprises various Excel Worksheets which might be embedded into it.
Considered one of which comprises a picture of a passport of a German citizen, together with one which shows a bank card, and it additionally comprises copies of the passports.
As well as, every of the worksheets comprises a VBA macro that calls the HTML web page that’s hosted on a distant server as soon as the worksheets are loaded.
In some ways, OriginLogger and Agent Tesla are comparable keyloggers. OriginLogger, nevertheless, is a commoditized keylogger.
As defined within the preliminary lure doc, industrial keyloggers are inclined to cater to much less superior and complex menace actors. There may be an excessive amount of warning that must be utilized to industrial keyloggers in the identical method that one would deal with malicious software program.
Obtain SWG – Safe Net Filtering – Free E-book