Palo Alto Networks Unit 42 has detailed the internal workings of a malware referred to as OriginLogger, which has been touted as a successor to the broadly used info stealer and distant entry trojan (RAT) generally known as Agent Tesla.
A .NET primarily based keylogger and distant entry, Agent Tesla has had a long-standing presence within the risk panorama, permitting malicious actors to achieve distant entry to focused techniques and beacon delicate info to an actor-controlled area.
Recognized for use within the wild since 2014, it is marketed on the market on darkish net boards and is mostly distributed via malicious spam emails as an attachment.
In February 2021, cybersecurity agency Sophos disclosed two new variants of the commodity malware (model 2 and three) that featured capabilities to steal credentials from net browsers, e mail apps, and VPN shoppers, in addition to use Telegram API for command-and-control.
Now in line with Unit 42 researcher Jeff White, what has been tagged as AgentTesla model 3 is definitely OriginLogger, which is alleged to have sprung as much as fill the void left by the previous after its operators shut store on March 4, 2019, following authorized troubles.
The cybersecurity agency’s start line for the investigation was a YouTube video that was posted in November 2018 detailing its options, resulting in the invention of a malware pattern (“OriginLogger.exe“) that was uploaded to the VirusTotal malware database on Could 17, 2022.
The executable is a builder binary that permits a bought buyer to specify the varieties of knowledge to be captured, together with clipboard, screenshots, and the checklist of functions and providers (e.g., browsers, e mail shoppers and so on.) from which the credentials are to be extracted.
Person authentication is achieved by sending a request to an OriginLogger server, which resolves to the domains 0xfd3[.]com and its newer counterpart originpro[.]me primarily based on two builder artifacts compiled on September 6, 2020, and June 29, 2022.
Unit 42 stated it was in a position to determine a GitHub profile with the username 0xfd3 that hosted two supply code repositories for stealing passwords from Google Chrome and Microsoft Outlook, each of that are utilized in OrionLogger.
OrionLogger, like Agent Tesla, is delivered by way of a decoy Microsoft Phrase doc that, when opened, is designed to show a picture of a passport for a German citizen and a bank card, together with various Excel Worksheets embedded into it.
The worksheets, in flip, comprise a VBA macro that makes use of MSHTA to invoke an HTML web page hosted on a distant server, which, for its half, consists of an obfuscated JavaScript code to fetch two encoded binaries hosted on Bitbucket.
The primary of the 2 items of malware is a loader that makes use of the strategy of course of hollowing to inject the second executable, the OrionLogger payload, into the aspnet_compiler.exe course of, a legit utility to precompile ASP.NET functions.
“The malware makes use of tried and true strategies and consists of the flexibility to keylog, steal credentials, take screenshots, obtain further payloads, add your knowledge in a myriad of how and try to keep away from detection,” White stated.
What’s extra, an evaluation of a corpus of over 1,900 samples reveals that the most typical exfiltration mechanisms for sending the information again to the attacker is by way of SMTP, FTP, net uploads to the OrionLogger panel, and Telegram with the assistance of 181 distinctive bots.
“Industrial keyloggers have traditionally catered to much less superior attackers, however as illustrated within the preliminary lure doc analyzed right here, this doesn’t make attackers any much less able to utilizing a number of instruments and providers to obfuscate and make evaluation extra sophisticated,” White additional stated.
