Notorious OriginBotnet Attack Windows Machine Using Weaponized Word Document

A recent cyberattack effort was discovered that used a malicious Word document delivered via phishing emails, causing victims to download a loader that launched a succession of malware payloads. 

OriginBotnet, RedLine Clipper, and Agent Tesla were among the payloads used. OriginBotnet is used for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for sensitive information gathering.

Working of OriginBotnet

According to FortiGuard Labs, the Word document is delivered as an attachment in a phishing email, including a fake reCAPTCHA and a purposefully blurred picture to trick the recipient into clicking.

Word Document
Word Document

OriginBotnet is capable of a variety of tasks, including gathering private information, connecting to its C2 server, and downloading extra files to carry out keylogging or password recovery operations on infected Windows machines.

Initially, OriginBotnet checks running processes to see if it is already operating in the environment. Following initialization, it collects crucial data about the victim’s device, including the installed antivirus program, CPU and GPU specifications, country, OS name, and username.

 OriginBotnet
Collecting crucial data about the victim’s device

The malware connects to the C2 server after gathering system information. The communication is carried out using a POST request with the argument “p.” The POST data is encrypted with TripleDES (in ECB mode with PKCS7 padding) and then encoded in Base64 format.

OriginBotnet enters a waiting state before parsing incoming C2 commands. Commands offered include “downloadexecute,” “uninstall,” “update,” and “load.”

Keylogger and PasswordRecovery are two plugins for OriginBotnet that are accessible in this scenario. 

Each keystroke made on a computer is secretly recorded and logged by the Keylogger plugin, which is also meant to keep track of user activity.

The PasswordRecovery plugin collects and arranges the login information for several browser and software accounts. These outcomes are noted and reported via HTTP POST requests.

Hence, according to researchers, the hacking campaign entailed a complicated series of events. The attack showed off clever methods for avoiding detection and keeping persistence on infected devices.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.