Palo Alto Networks Unit 42 has detailed the internal workings of a malware referred to as OriginLogger, which has been touted as a successor to the extensively used data stealer and distant entry trojan (RAT) referred to as Agent Tesla.
A .NET primarily based keylogger and distant entry, Agent Tesla has had a long-standing presence within the menace panorama, permitting malicious actors to achieve distant entry to focused programs and beacon delicate data to an actor-controlled area.
Identified for use within the wild since 2014, it is marketed on the market on darkish net boards and is usually distributed by malicious spam emails as an attachment.
In February 2021, cybersecurity agency Sophos disclosed two new variants of the commodity malware (model 2 and three) that featured capabilities to steal credentials from net browsers, e mail apps, and VPN shoppers, in addition to use Telegram API for command-and-control.
Now in response to Unit 42 researcher Jeff White, what has been tagged as AgentTesla model 3 is definitely OriginLogger, which is claimed to have sprung as much as fill the void left by the previous after its operators shut store on March 4, 2019, following authorized troubles.
The cybersecurity agency’s place to begin for the investigation was a YouTube video that was posted in November 2018 detailing its options, resulting in the invention of a malware pattern (“OriginLogger.exe“) that was uploaded to the VirusTotal malware database on Might 17, 2022.
The executable is a builder binary that enables a bought buyer to specify the varieties of knowledge to be captured, together with clipboard, screenshots, and the listing of functions and providers (e.g., browsers, e mail shoppers and so on.) from which the credentials are to be extracted.
Person authentication is achieved by sending a request to an OriginLogger server, which resolves to the domains 0xfd3[.]com and its newer counterpart originpro[.]me primarily based on two builder artifacts compiled on September 6, 2020, and June 29, 2022.
Unit 42 mentioned it was in a position to establish a GitHub profile with the username 0xfd3 that hosted two supply code repositories for stealing passwords from Google Chrome and Microsoft Outlook, each of that are utilized in OrionLogger.
OrionLogger, like Agent Tesla, is delivered through a decoy Microsoft Phrase doc that, when opened, is designed to show a picture of a passport for a German citizen and a bank card, together with quite a few Excel Worksheets embedded into it.
The worksheets, in flip, include a VBA macro that makes use of MSHTA to invoke an HTML web page hosted on a distant server, which, for its half, contains an obfuscated JavaScript code to fetch two encoded binaries hosted on Bitbucket.
The primary of the 2 items of malware is a loader that makes use of the strategy of course of hollowing to inject the second executable, the OrionLogger payload, into the aspnet_compiler.exe course of, a reliable utility to precompile ASP.NET functions.
“The malware makes use of tried and true strategies and contains the flexibility to keylog, steal credentials, take screenshots, obtain further payloads, add your information in a myriad of the way and try to keep away from detection,” White mentioned.
What’s extra, an evaluation of a corpus of over 1,900 samples exhibits that the commonest exfiltration mechanisms for sending the info again to the attacker is through SMTP, FTP, net uploads to the OrionLogger panel, and Telegram with the assistance of 181 distinctive bots.
“Business keyloggers have traditionally catered to much less superior attackers, however as illustrated within the preliminary lure doc analyzed right here, this doesn’t make attackers any much less able to utilizing a number of instruments and providers to obfuscate and make evaluation extra sophisticated,” White additional mentioned.
