A recent cyberattack effort was discovered that used a malicious Word document delivered via phishing emails, causing victims to download a loader that launched a succession of malware payloads.
OriginBotnet, RedLine Clipper, and Agent Tesla were among the payloads used. OriginBotnet is used for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for sensitive information gathering.
According to FortiGuard Labs, the Word document is delivered as an attachment in a phishing email, including a fake reCAPTCHA and a purposefully blurred picture to trick the recipient into clicking.
OriginBotnet is capable of a variety of tasks, including gathering private information, connecting to its C2 server, and downloading extra files to carry out keylogging or password recovery operations on infected Windows machines.
Initially, OriginBotnet checks running processes to see if it is already operating in the environment. Following initialization, it collects crucial data about the victim’s device, including the installed antivirus program, CPU and GPU specifications, country, OS name, and username.
The malware connects to the C2 server after gathering system information. The communication is carried out using a POST request with the argument “p.” The POST data is encrypted with TripleDES (in ECB mode with PKCS7 padding) and then encoded in Base64 format.
OriginBotnet enters a waiting state before parsing incoming C2 commands. Commands offered include “downloadexecute,” “uninstall,” “update,” and “load.”
Keylogger and PasswordRecovery are two plugins for OriginBotnet that are accessible in this scenario.
Each keystroke made on a computer is secretly recorded and logged by the Keylogger plugin, which is also meant to keep track of user activity.
The PasswordRecovery plugin collects and arranges the login information for several browser and software accounts. These outcomes are noted and reported via HTTP POST requests.
Hence, according to researchers, the hacking campaign entailed a complicated series of events. The attack showed off clever methods for avoiding detection and keeping persistence on infected devices.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
By fusing agentic AI and contextual threat intelligence, SecAI transforms investigation from a bottleneck into…
According to IBM Security annual research, "Cost of a Data Breach Report 2024", an average…
A critical security flaw in NVIDIA's Riva framework, an AI-powered speech and translation service, has…
CISA officially added a significant security flaw affecting Broadcom’s Brocade Fabric OS to its authoritative…
A critical vulnerability in Apple’s AirPlay protocol, dubbed AirBorne, has exposed over 2.35 billion active…
A critical vulnerability in Google Chrome has recently been discovered that allows malicious actors to…