Security researchers from Fortinet have recently detected a new multi-stage malware that primarily targets systems Windows. The campaign, discovered last August, employs a series of malicious tactics capable of compromising victims’ computers in multiple ways.
According to a technical blog post published Monday by security expert Fortinet Cara Linthe attack begins with an email from phishingdelivering a Word document as attachment.
This file contains a deceptive image and a reCAPTCHA counterfeited to trick recipients into clicking on it. Once activated, the document triggers an embedded malicious link, setting the stage for the attack to progress.
Il loader initial, downloaded from a specific URL, implements a binary padding evasion strategy, increasing the size of the file a 400 MB. Then unleash a series of payloadamong which OriginBotnet for keylogging and password recovery, RedLine Clipper for the theft of cryptocurrency and AgentTesla for the collection of sensitive information.
A Word document and a fake reCAPTCHA can start a domino effect
Lin explained that each stage of the attack is meticulously orchestrated to maintain persistence and evade detection. The malware uses encryption and decryption techniques, adopting the Base64 encodes and algorithms AES-CBC e AES-ECB to hide their activities.
RedLine Clipper, one of the malicious components, specializes in steal cryptocurrency modifying the user’s system clipboard to replace wallet addresses with addresses belonging to the attacker. This tactic targets users who copy and paste wallet addresses during transactions, resulting in funds being diverted to the attacker.
AgentTesla, another variant of the malware, is designed to record the keystrokes pressed by the victim, access your notes and run the drive scanning searching for valuable data, all while interacting with a command and control server (C2).
OriginBotnet, the third component, collects sensitive data and contacts its C2 server, downloading additional files for the keylogging and the password recovery. Uses encryption techniques to obfuscate traffic.
Organizations are urged to remain vigilant, strengthen their cybersecurity defenses and educate employees on the dangers of phishing emails to effectively mitigate the risk.